ppkarwasz commented on code in PR #455:
URL: https://github.com/apache/logging-parent/pull/455#discussion_r3081095152
##########
pom.xml:
##########
@@ -630,6 +630,8 @@
<!-- License headers in GitHub templates pollute the prompt
displayed to the user: -->
<exclude>.github/ISSUE_TEMPLATE/*.md</exclude>
<exclude>.github/pull_request_template.md</exclude>
+ <!-- `.logging-parent-bom-activator` activates the `bom` Maven
profile: -->
+ <exclude>.logging-parent-bom-activator</exclude>
Review Comment:
_Nit_: alternatively we can use the shortest possible license declaration:
```
SPDX-License-Identifier: Apache-2.0
```
##########
.github/dependabot.yaml:
##########
@@ -17,33 +17,50 @@
version: 2
-# Add Maven Central explicitly to work around:
-# https://github.com/dependabot/dependabot-core/issues/8329
-registries:
- maven-central:
- type: maven-repository
- url: https://repo.maven.apache.org/maven2
-
updates:
+ # region `main` updates
+
- package-ecosystem: maven
directory: "/"
schedule:
- interval: daily
- open-pull-requests-limit: 10
+ interval: monthly
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
registries:
- maven-central
- package-ecosystem: github-actions
directory: "/"
schedule:
- interval: daily
+ interval: monthly
Review Comment:
GitHub Actions might need to be updated more often than monthly, but I would
apply the recommended `cooldown` period. In our case, the cooldown period
allows the INFRA team to review and allow the new version of the action.
```suggestion
interval: weekly
cooldown:
default-days: 7
```
##########
.github/dependabot.yaml:
##########
@@ -17,33 +17,50 @@
version: 2
-# Add Maven Central explicitly to work around:
-# https://github.com/dependabot/dependabot-core/issues/8329
-registries:
- maven-central:
- type: maven-repository
- url: https://repo.maven.apache.org/maven2
-
updates:
+ # region `main` updates
+
- package-ecosystem: maven
directory: "/"
schedule:
- interval: daily
- open-pull-requests-limit: 10
+ interval: monthly
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
registries:
- maven-central
- package-ecosystem: github-actions
directory: "/"
schedule:
- interval: daily
+ interval: monthly
+ groups:
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
- package-ecosystem: npm
directory: "/"
schedule:
interval: monthly
groups:
- all:
- patterns:
- - "*"
+ dependencies:
+ patterns: [ "*" ]
+ target-branch: "main"
+
+ # endregion
+
+ # region `gha/v0` updates
+
+ - package-ecosystem: github-actions
+ directory: "/"
+ schedule:
+ interval: monthly
Review Comment:
Same as above: weekly, but with a cooldown.
```suggestion
schedule:
interval: weekly
cooldown:
default-days: 7
```
##########
.github/workflows/codeql-analysis.yaml:
##########
@@ -34,21 +38,9 @@ permissions: { }
jobs:
analyze:
- name: Analyze
- runs-on: ubuntu-latest
+ uses:
apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@gha/v0
Review Comment:
The `logging-parent` repo does not have any Java code, this is why
`codeql-analysis` was copy-pasted and slightly adapted, instead of using the
`codeql-analysis-reusable`.
##########
package-lock.json:
##########
@@ -703,20 +703,6 @@
"node": ">= 0.4"
}
},
- "node_modules/dunder-proto": {
- "version": "1.0.1",
- "resolved":
"https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz";,
- "integrity":
"sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
- "license": "MIT",
- "dependencies": {
- "call-bind-apply-helpers": "^1.0.1",
- "es-errors": "^1.3.0",
- "gopd": "^1.2.0"
- },
- "engines": {
- "node": ">= 0.4"
- }
- },
Review Comment:
I am not sure, why this PR updates the lock file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
