You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:
Dependency update tooling isn't enforced across all repositories in the sigstore organisation
Dependency update tools are recommended by OSSF scorecard1
There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle
For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts2 are maintained this way.
I'm suggesting an organization-level configuration3 for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:
`sigstore/.github/default.json`
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"description": "Default preset for use with sigstore's repositories",
"extends": ["config:base"]
}
In this repository, with renovate.json files in each individual repository that refer back to the organization-level configuration like so:
Description
Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:
Dependency update tooling isn't enforced across all repositories in the sigstore organisation
Dependency update tools are recommended by OSSF scorecard1
There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle
For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts2 are maintained this way.
I'm suggesting an organization-level configuration3 for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:
`sigstore/.github/default.json`
In this repository, with
renovate.json
files in each individual repository that refer back to the organization-level configuration like so:`sigstore/.github/default.json`
I am happy to implement this, and narrow down a config that fits your existing workflow, if this would be a welcome contribution 😅
References
Repos that currently have Dependabot configured
Footnotes
https://github.com/ossf/scorecard/blob/38be00c31f4f078120219ec3aaa76560835199fb/docs/checks.md?plain=1#L293-L295 ↩
https://github.com/renovatebot/helm-charts/commit/d7505047211d5c20d7c73e4bf5cb0361c92bd615 ↩
https://docs.renovatebot.com/config-presets/#organization-level-presets ↩
The text was updated successfully, but these errors were encountered: