Security updates should automatically apply to release-3.4 and release-3.5
#13014
Comments
isubasinghe
added
type/feature
agilgur5
added
type/security
agilgur5
changed the title
release-3.4 and release-3.5
|
Sounds like a subissue of #12592. Afaik, dependabot doesn't run on other branches, so this would be largely the same as what we discussed in #12592, automatically cherry-picking into currently supported branches.
Due to that, there can still be a merge conflict on cherry-picking / backporting, especially with deps, so this may never be fully automated either.
Since dependabot is only doing security updates now after #12487, we could detect these. Otherwise, we do have to manually do some updates (as they're major bumps or require code changes etc), and there isn't necessarily a good way to detect those other than the labels (which have to be manually added) |
|
I didn't know that dependabot doesn't run on other branches, that is a shame to hear. I do have a dirty ugly hack for this, I can create two forks of workflows and each set the default branch to be release-3.4 and release-3.5. This way there should be automatic updates to those forks. I feel like I deserve some abuse for this proposal hahaha, it is such a hack but should keep us going. |
|
One can ask dependendabot to run on branches.... but it only does security PRs on the main one. |
ofc classic dependabot limitations... 🙃 |
Summary
As the title states, security updates should immediately be available in release channels.
Use Cases
It is difficult to individually perform releases and currently is a manual process, which also is to say that it is error prone, humans may accidentally miss out on critical security fixes when rolling a new release. While the end goal would be some kind of full automation to the release process, we could setup the security updates from dependabot to be automated.
The text was updated successfully, but these errors were encountered: