rmuir opened a new issue, #14491: URL: https://github.com/apache/lucene/issues/14491
### Description I added dependabot.yml in https://github.com/apache/lucene/pull/14462 Currently it sends us pull requests for: - github actions - pip dependencies in dev-tools/ But most github actions we use seem to only pin major version. They are also solid github "official" ones: https://github.com/apache/lucene/network/dependencies?q=ecosystem%3A%22GitHub+Actions%22 For more builds reliability, we could pin them better, e.g. to minor, patch or even hash is probably possible too. Personally I think it would be best to "fully pin" as exactly as we can, and then address update frequency via dependabot.yml (e.g. set the Github Actions ecosystem to monthly PR frequency). Just something never to worry about: code changing underneath us. Personally I think it is just easier to upgrade iteratively too rather, versus huge major versions. It is also helpful to get digestible-size release notes to take advantage of any new functionality. To get an idea of what I mean, consider the `setup-java` changelogs (we specify `4.*.*` today) https://github.com/actions/setup-java/releases -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
