GitHub recently enabled dependabot which automatically sends PRs to bump versions of libraries that received security updates.
In our case, a lot of repos are just mirrors of gerrit repos so no PRs need to be sent there.
This ticket is to disable dependabot on such repos. Some examples:
https://github.com/oVirt/ovirt-engine/pulls
https://github.com/oVirt/jenkins/pulls
https://github.com/oVirt/ovirt-vdsmfake/pulls
To disable these PRs it is enough to go to the security tab of the mirror project and unclick the checkbox in the "Automatic serurity updates" menu
This means you don’t have admin right on the oVirt organization. Please share your github handle and I’ll add you.
Hi ,
My github handle is
Disabled dependabot on below repos:
https://github.com/oVirt/ovirt-engine/pulls
https://github.com/oVirt/jenkins/pulls
https://github.com/oVirt/ovirt-vdsmfake/pulls
Thanks! When you have time - could you look through all the repos at that are marked as “This is a mirror for http://gerrit.ovirt.org“ and disable auto-PRs there? We should also update the docs on creating github mirrors to disable this feature upon creation of any new mirror repo.
This is a low-priority task at the moment.
Disabled dependabot all repos that are marked as “This is a mirror for http://gerrit.ovirt.org“.