Replace Greenkeeper with Dependabot #16

gr2m · 2020-05-19T18:05:52Z

As Greenkeeper is phasing out and migrating its users to Snyk, we decided to migrate to Dependabot, which has been acquired by GitHub about a year ago and is increasingly becoming a built-in GitHub feature.

There are some trade-offs unfortunately:

Dependabot has been created with a focus on apps, not libraries. By default, Dependabot sends updates for all dependency updates, including updates that are within the range of what's defined in package.json's "dependencies" and "devDependencies". This is causing a lot of noise. Luckily, the new v2 configuration option versioning-strategy: "increase-if-necessary" makes Depedendabot send pull requests for out-of-range updates only
One of my favorite features of Greenkeeper is live monitoring of in-range dependency updates. It creates a branch, which triggers the CI but does not create any notifications. If CI passes, the branch is deleted again. But if it fails, Greenkeeper creates an issues, so the maintainers can pin the version of the affected dependency, in order to prevent sudden breaking changes for its dependands. See https://greenkeeper.io/docs.html#greenkeeper-step-by-step

I've talked to @feelepxyz who kindly enabled the v2 configuration on @octokit. I will add the following configuration to all Octokit JS-related repositories:

version: 2
updates:
  # create PRs for out-of-range updates
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    versioning-strategy: "increase-if-necessary"

Todos:

Uninstall Greenkeeper app
Update in this repository
- Add badge to repository
- Add .github/dependabot.yml configuration
- lib/create-readme.js
- .github/workflows/test.yml
- lib/create-test-action.js
- create-octokit-project.js
Update all other repositories in @octokit

Check if README.md includes Greenkeeper badge. If it doesn't, ignore repository
Create pull request
- set "maintenance" label
- Remove Greenkeeper badge
- .github/workflows/update-prettier.yml files:
```
-- "greenkeeper/prettier-*"
+- "dependabot/npm_and_yarn/prettier-*"
```
- .github/workflows/test.yml files:
```
-- "greenkeeper/**"
```
- Create .github/dependabot.yml with the configuration above

The text was updated successfully, but these errors were encountered:

gr2m · 2020-05-19T19:22:59Z

Hmm turns out that Dependabot is sending PRs for all updates even with the versioning-strategy: "increase-if-necessary", but it only updates the lock file. I don't see how I'd be able to enable Dependabot with that setting, it's too much noise both for me and for (potential) contributors who watch the Octokit repositories :/

gr2m · 2020-05-19T22:10:03Z

I'll go ahead and migrate anyway, just to see how much noise it will be. Maybe it will help to make a case to the Dependabot team to introduce features that would lower the noise for library maintainers :)

I'll use this setting now

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    labels:
    - "maintenance"

gr2m · 2020-05-20T00:28:20Z

All done, getting ready for the flood. For reference, here is the script I used to create all the PRs:
https://github.com/gr2m/migrate-greenkeeper-to-dependabot-cli

gr2m added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label May 19, 2020

gr2m self-assigned this May 19, 2020

gr2m closed this as completed May 25, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace Greenkeeper with Dependabot #16

Replace Greenkeeper with Dependabot #16

gr2m commented May 19, 2020 •

edited

Loading

gr2m commented May 19, 2020

gr2m commented May 19, 2020

gr2m commented May 20, 2020

Replace Greenkeeper with Dependabot #16

Replace Greenkeeper with Dependabot #16

Comments

gr2m commented May 19, 2020 • edited Loading

gr2m commented May 19, 2020

gr2m commented May 19, 2020

gr2m commented May 20, 2020

gr2m commented May 19, 2020 •

edited

Loading