Supply default config to reduce daily PR noise

Some third-party libraries widely used at the Guardian automatically publish a new release every single day, often without obvious security benefit. Currently we don't _automatically_ merge the resulting daily Scala Steward PR, and so these low-value changes consume a lot of dev attention. In general, we can accept a lower update cadence for these dependencies. Some individual Guardian repos have already introduced .scala-steward.conf config files to configure that cadence (see eg guardian/ophan#4598 ), but to reduce duplication of effort, it would be good to have this lower cadence applied by default everywhere. This update should configure our GitHub Action so that it will apply the default lower-cadence config to _all_ repos it runs on, rather than making devs individually configure it on every repo they work on, The file location `.github/.scala-steward.conf` is the default value for `repo-config` configuration input on the Scala Steward Github Action: https://github.com/scala-steward-org/scala-steward-action#configuration The feature of allowing the Scala Steward Github Action to have a default for repo config was first introduced with scala-steward-org/scala-steward-action#292, the name of the configuration input was later switched from `default-repo-conf` to `repo-config` with scala-steward-org/scala-steward-action#324 .
guardian · Jul 15, 2022 · 8757063 · 8757063
1 parent 95af6b4
commit 8757063
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/.github/.scala-steward.conf b/.github/.scala-steward.conf
@@ -0,0 +1,14 @@
+# Only include dependencies which automatically release updates as frequently
+# as daily, without those dependencies having meaningful security value. With our
+# current process, the daily update PRs generated by Scala Steward for those
+# new releases consume more dev attention than they're worth!
+dependencyOverrides = [
+  {
+    dependency = { groupId = "software.amazon.awssdk" },
+    pullRequests = { frequency = "30 day" }
+  },
+  {
+    dependency = { groupId = "com.google.apis" },
+    pullRequests = { frequency = "30 day" }
+   }
+]
diff --git a/README.md b/README.md
@@ -10,13 +10,17 @@ https://github.com/guardian/scala-steward-private-repos - note that we pay for
 the GitHub Action minutes for scanning running from that repo, because it's private, but it
 at least will keep your security vulnerabilities private!
 
-You will probably also want to add some [repository-specific configuration](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) to your repo to tune how many PRs get raised, but that's all the config
-that should be necessary!
+You may also want to add some [repository-specific configuration](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md)
+to your repo to tune how many PRs get raised, but note that we have a [default config](.github/.scala-steward.conf)
+that should already be filtering out the most-noisy dependencies (like `software.amazon.awssdk`, which has automatic
+daily releases without obvious security value).
 
 ### Why do we have our own instance of Scala Steward for public repos?
 
 The public instance of Scala Steward run by Frank Thomas, the creator of Scala Steward, was shutdown
 in [June 2022](https://github.com/scala-steward-org/repos/issues/1029), so we need to run our own instance!
+Note that until https://github.com/VirtusLab/scala-steward-repos/pull/23 is merged on the _new_ community
+instance, we may have duplicate PRs :(
 
 ### How is this instance of Scala Steward setup?