Skip to content

chore: improve dependabot config#1044

Merged
chaptersix merged 2 commits into
temporalio:mainfrom
chaptersix:chore/dependabot-config
May 29, 2026
Merged

chore: improve dependabot config#1044
chaptersix merged 2 commits into
temporalio:mainfrom
chaptersix:chore/dependabot-config

Conversation

@chaptersix

Copy link
Copy Markdown
Contributor

What was changed

  • Group all GitHub Actions updates into a single PR
  • Ignore indirect Go dependencies (only direct deps get PRs)
  • Ignore all go.temporal.io/* dependencies — these are managed manually to ensure coordinated upgrades across all temporal packages

@chaptersix chaptersix requested a review from a team as a code owner May 21, 2026 17:29
@chaptersix chaptersix requested review from dandavison and fretz12 May 21, 2026 17:30
@chaptersix chaptersix merged commit 87ea7e0 into temporalio:main May 29, 2026
10 checks passed
chaptersix added a commit that referenced this pull request Jun 2, 2026
…nfig (#1057)

## Summary
- `dependency-type` is only valid inside `allow`, not `ignore` in
dependabot.yml
- Replaces the invalid `ignore` entry with `allow: [{dependency-type:
direct}]` to achieve the same goal of skipping indirect/transitive
dependency updates
- Adds a CI workflow using `check-jsonschema` to validate
`dependabot.yml` on PRs and pushes to main
- Fixes the Dependabot config validation failure introduced in #1044

## Test plan
- [ ] Verify the `.github/dependabot.yml` validation check passes on
this PR
- [ ] Verify `check-jsonschema --builtin-schema vendor.dependabot
.github/dependabot.yml` passes locally
chaptersix added a commit that referenced this pull request Jul 6, 2026
…#1104)

## Summary

Backports server-independent changes from `main` into `release/1.8.x`.
Every commit here was verified to build and pass codegen against the
release line's current dependency pins (`server v1.31.0`, `sdk v1.41.1`,
`api v1.62.8`) — nothing pulls in the newer server/SDK/API that landed
on `main` via #1017.

Scope agreed as: bug fixes + CLI changes + CI/tooling. Dependency bumps
(#1040, #1052, #1063) and server-version-dependent features are
intentionally excluded.

## Included (22 commits, cherry-picked with `-x`)

**CLI / bug fixes**
- #1006 Fix help with value flags (addresses #1003 — `--help` with value
flags like `--address 123` surfaced `pflag: help requested` as an error)
- #1012 skip CountWorkflow in batch operations when `--yes` is set
- #1016 Sort output of listing search attributes
- #1029 Workflow delete now prompts for confirmation
- #1033 Add persistence info to start-dev banner
- #1047 Add `temporal schedule list-matching-times` command
- #1056 Fix task-queue config set help: use real fairness weight flag
names
- #1059 Prefix dev server cluster ID with `dev-server-`
- #1089 fix: tls is not added for profiles without tls
- #1099 Clarify activity pause timeout behavior
- #941 auto-generate deprecation warnings from YAML config

**Tests**
- #1005 Fix flakey test by disabling EC2 metadata lookup
- #1020 Remove `time.Sleep()` in commands.taskqueue_test.go

**CI / tooling**
- #1015 pin alpine docker image to 3.23.4
- #1024 remediate missing-dependency-cooldown
- #1034 Bump actions/upload-artifact from 4 to 7
- #1044 improve dependabot config
- #1045 add PR template
- #1054 pin and bump GitHub Actions to latest versions
- #1057 use allow instead of ignore for dependency-type in dependabot
config
- #1080 Bump the github-actions group with 2 updates

## Excluded (rely on the new server/SDK version)
#1017 (server bump v1.31.0 -> v1.32.0-157.0), #1046, #1087, #1001,
#1091, #1084

## Verification
- `go build ./...` passes
- all test packages compile
- `make gen` reports no codegen drift
- server/sdk/api pins unchanged from `release/1.8.x`



## CI endpoint fix (added)
Also backports the API-key CI test endpoint change from #1087
(`us-east-1` -> `ca-central-1`) as a standalone CI-only commit. This
resolves the `Request unauthorized` failure in the "Test cloud API key"
steps on `release/1.8.x`. The rest of #1087 (Nexus Operation command
code) is excluded as it depends on the new server version.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: Kevin Woo <3469532+kevinawoo@users.noreply.github.com>
Co-authored-by: Rodrigo Zhou <rodrigo.zhou@temporal.io>
Co-authored-by: Stephan Behnke <stephanos@users.noreply.github.com>
Co-authored-by: Jiechen Zhong <jiechen.zhong@temporal.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Kent Gruber <kent.gruber@temporal.io>
Co-authored-by: picatz <14850816+picatz@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Votta <jpvotta@gmail.com>
Co-authored-by: Nasit  Sarwar Sony <nasitsony96@gmail.com>
Co-authored-by: hussam-salah <156124396+hussam-salah@users.noreply.github.com>
Co-authored-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: Bitalizer <23104115+bitalizer@users.noreply.github.com>
Co-authored-by: Sean Kane <spkane31@gmail.com>
Co-authored-by: Jessica Laughlin <JLDLaughlin@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants