Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Dependabot configuration and CODEOWNERS template to help automate dependency updates. The implementation reorganizes the GitHub generator to use symlinked templates from the repository's .github directory, reducing duplication while adding new Dependabot and CODEOWNERS files.
Changes:
- Added Dependabot configuration with support for both Bundler and npm ecosystems
- Added CODEOWNERS template for automated PR reviewer assignment
- Refactored GitHub generator to use symlinked templates from top-level
.githubdirectory - Bumped version from 0.26.0 to 0.27.0
Reviewed changes
Copilot reviewed 7 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/generators/rolemodel/github/github_generator.rb | Simplified generator to use symlinked templates and added new method to install Dependabot/CODEOWNERS files |
| lib/generators/rolemodel/github/templates/dependabot.yml | New Dependabot configuration supporting Bundler and npm with grouped update strategies |
| lib/generators/rolemodel/github/templates/CODEOWNERS | New CODEOWNERS template with placeholder reviewers for dependency updates |
| lib/generators/rolemodel/github/templates/pull_request_template.md | Moved PR template to templates directory |
| lib/generators/rolemodel/github/templates/instructions | Symlink to repository's .github/instructions directory |
| spec/generators/rolemodel/github_generator_spec.rb | Added tests verifying Dependabot and CODEOWNERS file generation |
| lib/rolemodel_rails/version.rb | Version bump to 0.27.0 |
| Gemfile.lock, example_rails7/Gemfile.lock, example_rails8/Gemfile.lock | Updated lockfiles reflecting new version |
|
|
||
| updates: | ||
| - package-ecosystem: bundler | ||
| insecure-external-code-execution: allow |
There was a problem hiding this comment.
Allowing insecure external code execution in Dependabot configuration poses a security risk. This setting permits execution of arbitrary code during dependency updates, which could be exploited if a malicious dependency is introduced. Consider removing this line unless there's a specific, documented requirement for it, and if needed, add a comment explaining why it's necessary.
| insecure-external-code-execution: allow |
There was a problem hiding this comment.
This is required because of health-check and possibly this gem (rolemodel_rails).
As a counter suggestion:
| insecure-external-code-execution: allow | |
| # NOTE: Copilot will complain about this line, but it is needed, | |
| # otherwise Dependabot cannot access internal RoleModel gems. | |
| insecure-external-code-execution: allow |
There was a problem hiding this comment.
I'm fine with this for now, but I'd like you to explain this to me in detail sometime.
Maybe then we can put our heads together and see if something useful is knocked loose..
There was a problem hiding this comment.
At some point it might be good to consider if our Health Check approach is worth just having almanac pull everything it needs for SHM.
| @@ -0,0 +1 @@ | |||
| ../../../../../.github/instructions No newline at end of file | |||
There was a problem hiding this comment.
This is a symlink for the folder. See screenshot for proof that it works in the generator.
Refactor GH Generator a bit
wesrich
force-pushed
the
add-dependabot-config
branch
from
db07069 to
9212f1a
Compare
OutlawAndy
left a comment
OutlawAndy
left a comment
There was a problem hiding this comment.
Nice work @wesrich, thanks!
Left a suggestion about emphasizing the note about updating the CODEOWNERS file.
|
|
||
| updates: | ||
| - package-ecosystem: bundler | ||
| insecure-external-code-execution: allow |
There was a problem hiding this comment.
I'm fine with this for now, but I'd like you to explain this to me in detail sometime.
Maybe then we can put our heads together and see if something useful is knocked loose..
| day: monday | ||
| # Ignore specific dependencies or update types which may cause issues. For example: | ||
| # ignore: | ||
| # - dependency-name: 'some-package' |
There was a problem hiding this comment.
if our private dependencies are ignored by default, does that remove the need for the scary "allow bad stuff" config above to be removed?
| @@ -0,0 +1 @@ | |||
| ../../../../../.github/instructions No newline at end of file | |||
Co-authored-by: Andy Cohen <outlawandy@gmail.com>
Co-authored-by: Andy Cohen <outlawandy@gmail.com>
There was a problem hiding this comment.
I think there was an open PR for this. I assume we're pulling from there for this?
|
|
||
| updates: | ||
| - package-ecosystem: bundler | ||
| insecure-external-code-execution: allow |
There was a problem hiding this comment.
At some point it might be good to consider if our Health Check approach is worth just having almanac pull everything it needs for SHM.
Why?
Add Dependabot Config so we can keep everyone up to date!
What Changed
Pre-merge checklist
Update relevant READMEsbin/bump_versionorbin/bump_version --patchScreenshots