Adding workflow to update dependencies weekly #7944
Conversation
There was a problem hiding this comment.
PR Overview
This PR introduces a GitHub workflow that automatically updates NuGet package dependencies on a weekly basis by scheduling a dependency update process and opening a pull request with any detected changes.
- Adds a workflow triggered by a cron schedule and manual dispatch.
- Uses the dotnet-outdated tool to update NuGet packages and automatically creates a PR with the updated dependencies.
- Reverts unintended changes while preserving updates to Directory.Packages.props.
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/update-dependencies.yml | Implements a new workflow to update NuGet dependencies and open a PR with the updates. |
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
| branch: update-dependencies | ||
| commit-message: "[Automated] Updating package dependencies" | ||
| title: "[Automated] Update dependencies" | ||
| body: "Auto-generated update to the package dependencies. In order for this PR to be green, it will require all of the new dependencies to be mirrored to our AzDO NuGet feeds. Any updates made outside of the first itemgroup in Directory.Packages.props should be reverted as those are packages that get updated through arcade's dependency flow." |
There was a problem hiding this comment.
Is there a way for us to ensure that dotnet outdated doesn't update outside of the first itemgroup?
There was a problem hiding this comment.
I don't think there is other than manually adding either an include or exclude list with the packages that are updateable. We could potentially calculate that include list dynamically as part of the action in a previous step, but not sure if that is overkill (given we will need to review these updates anyway manually)
There was a problem hiding this comment.
I guess we will see how annoying this gets. Maybe we will add an exclude list in the future so it doesn't mess with the dependencies to aspnetcore and runtime.
Yup, I can take care of that when this is merged. |
Why not at the same time? |
I was under the impression that that was configured via Settings of the GH repo, but I now understand that that is only the dependabot security updates, so I will include in this change the removal of the dependabot yml configuration file. |
|
Dependabot also updates global tools and maybe other stuff we want to keep not just package references (?) |
github-actions
bot
added
the
needs-area-label
Agreed. We can just turn off dependabot for nuget references. |
|
Here is what I had done for Orchard with dotnet outdated. Maybe one thing to take is the major version lock arguments and the fact it won't try to create a PR if there are no updates detected (but probably the PR actions takes care of it) OrchardCMS/OrchardCore@main...sebros/outdated Since this Orchard has been using Renovate which handles everything with all the rules we want. |
Thanks for sharing! I specifically decided not to use version lock on major, because we've said that, with our third party dependencies, we are okay with bumping them even across major versions. This is the current policy we use for our dependencies. |
danmoseley
added
area-engineering-systems
|
This should be good to go now. |
Broke the build. |
|
Taking a peek |
|
I have #8093 fixing this. FWIW, it only broke the dependabot leg, not the actual build. |
Description
This adds a workflow which runs weekly and updates the NuGet package dependencies in the project.
Checklist