Chore: [AEA-0000] - Depenadabot cooldown#2909
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
There was a problem hiding this comment.
Pull request overview
This PR introduces a Dependabot update “cooldown” setting and adds an automated GitHub Actions workflow to periodically update the devcontainer version.
Changes:
- Add a new scheduled workflow to update the repository devcontainer version via a reusable workflow.
- Add
cooldown: default-days: 3to all configured Dependabot ecosystems (pip, GitHub Actions, npm).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/update_dev_container_version.yml |
Adds a scheduled/manual workflow that calls a reusable workflow to update the devcontainer version. |
.github/dependabot.yml |
Adds a 3-day cooldown configuration to each Dependabot update entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| cooldown: | ||
| default-days: 3 |
There was a problem hiding this comment.
cooldown / default-days is not part of the standard Dependabot v2 configuration keys (keys are validated by GitHub). If this field isn't supported in your GitHub org/instance, it will cause Dependabot to reject the entire config and stop creating update PRs. Please verify support for cooldown or replace with an officially supported mechanism (e.g., adjust schedule, use groups, or rely on open-pull-requests-limit).
| cooldown: | ||
| default-days: 3 |
There was a problem hiding this comment.
cooldown / default-days is not part of the standard Dependabot v2 configuration keys (keys are validated by GitHub). If this field isn't supported in your GitHub org/instance, it will cause Dependabot to reject the entire config and stop creating update PRs. Please verify support for cooldown or replace with an officially supported mechanism (e.g., adjust schedule, use groups, or rely on open-pull-requests-limit).
| cooldown: | ||
| default-days: 3 |
There was a problem hiding this comment.
cooldown / default-days is not part of the standard Dependabot v2 configuration keys (keys are validated by GitHub). If this field isn't supported in your GitHub org/instance, it will cause Dependabot to reject the entire config and stop creating update PRs. Please verify support for cooldown or replace with an officially supported mechanism (e.g., adjust schedule, use groups, or rely on open-pull-requests-limit).
| name: Update Devcontainer Version | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 18 * * 4" | ||
|
|
||
| jobs: | ||
| update_devcontainer_version: | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/update-dev-container-version.yml@d2a4595b1bfa59f04c7cecb080a126321d42a333 |
There was a problem hiding this comment.
The PR description/title focuses on Dependabot cooldown, but this PR also introduces a new scheduled workflow for updating the devcontainer version. Please either update the PR description to include this scope, or split the workflow addition into a separate PR so the change is easier to review and audit.
| contents: read | ||
| packages: read | ||
| pull-requests: write |
There was a problem hiding this comment.
The permissions keys are indented more deeply than the rest of the job fields, which is inconsistent with other workflows in this repo (e.g. .github/workflows/pull_request.yml). Please align the indentation to the standard 2-space steps under permissions: to keep YAML formatting consistent and avoid future merge/lint issues.
| contents: read | |
| packages: read | |
| pull-requests: write | |
| contents: read | |
| packages: read | |
| pull-requests: write |
|
Summary
Details