mirror of
https://github.com/apple/pkl.git
synced 2026-04-30 04:04:18 +02:00
07c68239b9
Dependabot currently does not update lockfiles in multi-module projects (see https://github.com/dependabot/dependabot-core/issues/14633) To work around this issue, we will simply remove our lockfiles, and change our version catalog to use fully specified versions. The removal of lockfiles introduces two issues: 1. It is less visible what our dependency graph is 2. Our builds are potentially non-reproducible To work around this, two mitigations are in place: 1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the build if any dependencies declare a version range 2. Enable GitHub dependency submission, which provides insight into the project SBOM
18 lines
316 B
YAML
18 lines
316 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: gradle
|
|
cooldown:
|
|
default-days: 7
|
|
schedule:
|
|
interval: weekly
|
|
- package-ecosystem: github-actions
|
|
cooldown:
|
|
default-days: 7
|
|
directory: /
|
|
ignore:
|
|
- dependency-name: '*'
|
|
update-types:
|
|
- version-update:semver-major
|
|
schedule:
|
|
interval: weekly
|