Hi everyone! We integrated Dependabot with the OpenSearch repository. Dependabot issues auto-PRs for what it finds and is a useful tool to assist in keeping our dependencies up-to-date.
One of the common issues with integrating Dependabot is that once it is integrated with a repo, some forks start getting Dependabot update PRs once they sync with the upstream.
(Related issue: .dependabot/config.yml and forks · Issue #2198 · dependabot/dependabot-core · GitHub)
We believe the tradeoff of opening PRs against forks is worth it to rapidly patch the main repository.
- Does anyone know of a way to achieve our results that don’t require this trade-off?
- What do you think of this tradeoff?
Please let us know - we will keep this open until Wednesday, March 2nd.
Thank you