Clarify Dependabot exclusion of test fixtures with comments#190
Closed
dreadn0ught wants to merge 2 commits into
Closed
Clarify Dependabot exclusion of test fixtures with comments#190dreadn0ught wants to merge 2 commits into
dreadn0ught wants to merge 2 commits into
Conversation
Drop the inert `ossprey/test_*.py` exclude-path (Dependabot only scans dependency manifests, never Python source), and document that `test/**` recursively covers every nested fixture manifest so no version-update PRs are opened for the intentionally-pinned/broken test packages. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS
exclude-paths only suppresses pip version-update PRs; it does not stop Dependabot *security* alerts/PRs, and the npm/yarn/docker fixtures ride GitHub's native dependency graph which has no path exclusion. Those intentionally-vulnerable test fixtures were showing up as open alerts. Rather than disable Dependabot alerts (needed repo-wide for compliance), add a weekly workflow that dismisses (as not_used) any open alert whose manifest lives under test/, leaving real dependency alerts untouched. Needs a repo secret DEPENDABOT_ALERTS_TOKEN (fine-grained PAT with "Dependabot alerts: Read and write"); the built-in GITHUB_TOKEN cannot write Dependabot alerts. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updated the Dependabot configuration to include explanatory comments about why test fixtures are excluded from automated version updates, and removed an outdated exclusion pattern.
Key Changes
test/directory contains throwaway fixture packages that are intentionally pinned, out of date, or deliberately broken**glob pattern recursively matches all nested fixture manifestsossprey/test_*.pyexclusion pattern, which is no longer neededDetails
The changes improve maintainability by documenting the rationale behind excluding test fixtures from Dependabot's automated version update PRs. This prevents unnecessary churn from dependency updates on intentionally broken or pinned test fixtures while making the configuration's intent clear to future maintainers.
https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS