Chore: Reduce Dependabot Noise 🤖 🙉 😢

[nelsonic]

while it's good to have our dependencies up-to-date the number of @dependabot PRs is getting a bit ridiculous ...

It's very noisy to have this many PRs spamming our notifications each morning. 🤦‍♂️

Often they are for minor updates like build(deps-dev): Bump excoveralls from 0.16.0 to 0.16.1 🙄
We really don't care about these minor Dev dependency updates ... 👎

Todo

• Investigate if we can get @dependabot to: 🔍
  • Only create ONE PR for all the updates for a given week or month.
  • Ignore minor updates e.g: 0.16.0 to 0.16.1 completely and only update when a patch e.g: 0.16.0 to 0.17.0 or major is released.
• Change the checking time from 07:00 to something like 16:00 so that it doesn't spam us first thing in the morning.

@LuchoTurtle if you have T1h, please read the Docs https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file and figure out how we can ignore the minor releases of dev dependencies. Do we need to list them all individually? in which case please start that list. 🙏

[SimonLab]

I don't think we can only update the minor versions and ignoring the patches.

I suspect the way Dependabot works is by checking the version "rules" in mix.exs:

see https://hexdocs.pm/elixir/Version.html

I was more specifficaly looking if "~>" could be use for minor version only but I don't think it is the way it works.

On the Dependabot configuration I can't see either a way to only update the minor versions only.

However we can definitely run Dependabot weekly/monthly and at a specific time.
If we search for the dependabot.yml file in the dwyl org we have 48 files found:
https://github.com/search?q=org%3Adwyl+filename%3Adependabot.yml&type=code

I'm not sure if there is an automatic way to update automatically these files, I think it will be quicker to go over them manually to update the configuration.

[nelsonic]

@SimonLab yeah, we will definitely have to do this manually. But we can do them ad hoc.
e.g: next time there is a @dependabot PR we use that as an opportunity to update the dependabot.yml in that repo.

I just want to have a clear understanding of what that file needs to contain so that we can copy-paste it and be done. 📋

[SimonLab]

I think I've now updated most of the dependabot configuration to run weekly. It's possible that I might have missed some, but we should now have a lot less daily noise

[nelsonic]

What I was suggesting was reading the docs for the ignore configuration:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#creating-ignore-conditions-from-dependabot-ignore

e.g:

    ignore:
      - dependency-name: "express"
        # For Express, ignore all updates for version 4 and 5
        versions: ["4.x", "5.x"]
        # For Lodash, ignore all updates
      - dependency-name: "lodash"
        # For AWS SDK, ignore all patch updates
      - dependency-name: "aws-sdk"
        update-types: ["version-update:semver-patch"]

So ours would simply ignore all the dev dependencies:

    ignore:
        # ignore all patch updates in dev dependencies ref: github.com/dwyl/technology-stack/issues/126
      - dependency-name: "credo"
        update-types: ["version-update:semver-patch"]
      - dependency-name: "excoveralls"
        update-types: ["version-update:semver-patch"]
      - dependency-name: "ex_doc"
        update-types: ["version-update:semver-patch"]
      - dependency-name: "esbuild"
        update-types: ["version-update:semver-patch"]
      - dependency-name: "floki"
        update-types: ["version-update:semver-patch"]
      - dependency-name: "phoenix_live_reload"
        update-types: ["version-update:semver-patch"]

We could steadily add to this list as needed.

[nelsonic]

Thinking we will just have a comprehensive list of non-core/essential dependencies that we just ignore patch updates for:

version: 2
updates:
- package-ecosystem: mix
  directory: "/"
  schedule:
    interval: weekly
    time: "17:00"
    timezone: Europe/London
  ignore:
      # ignore all patch updates in dev dependencies ref: github.com/dwyl/technology-stack/issues/126 [alphabetical list]
    - dependency-name: "credo"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "dialyxir"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "excoveralls"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "ex_doc"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "esbuild"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "floki"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "gettext"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "mock"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "phoenix_live_dashboard"
      update-types: ["version-update:semver-patch"]
    - dependency-name: "phoenix_live_reload"
      update-types: ["version-update:semver-patch"]

[LuchoTurtle]

Should this be closed? dwyl/mvp#344 was already merged and @SimonLab already pushed a few PR to a handful of repos with this change.

[nelsonic]

Indeed. The issue was assigned to @LuchoTurtle but no comment was made. so @SimonLab picked up the task. ✅