Add Dependabot to the repository

[PProfizi]

No description provided.

[codecov]

Codecov Report

Merging #275 (3ba9dff) into master (faf54c0) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #275   +/-   ##
=======================================
  Coverage   86.20%   86.20%           
=======================================
  Files          52       52           
  Lines        5661     5661           
=======================================
  Hits         4880     4880           
  Misses        781      781           

[akaszynski]

You'll need to "pin" the versions of the requirements in all your requirements files for dependabot to work.

[PProfizi]

@akaszynski Oh so Dependabot will only deal with pinned down dependencies. The thing is we do not necessarily want to pin down all of our dependencies. I understand this is maybe best practice, but IMO it might create more versioning conflicts when someone tries to install our package along with another one.
I discussed this with other DPF members and the feeling is that we might want to actually manage a "=<" version for each package. This way a released package gives a range of compatible dependencies.
Does that make sense?
TLDR; not sure how pinning down every dependency solves more problems than it creates.

[akaszynski]

@akaszynski Oh so Dependabot will only deal with pinned down dependencies. The thing is we do not necessarily want to pin down all of our dependencies. I understand this is maybe best practice, but IMO it might create more versioning conflicts when someone tries to install our package along with another one. I discussed this with other DPF members and the feeling is that we might want to actually manage a "=<" version for each package. This way a released package gives a range of compatible dependencies. Does that make sense? TLDR; not sure how pinning down every dependency solves more problems than it creates.

The thing is we do not necessarily want to pin down all of our dependencies.

Agreed 100%. PyAnsys packages should have loose requirements (or as loose as possible) to ensure multiple packages can work in the same environment.

IMO it might create more versioning conflicts when someone tries to install our package along with another one.

Absolutely. Anything in your setup.py or pyproject.toml that's actually required by your package should allow the oldest version possible to run your library.

I discussed this with other DPF members and the feeling is that we might want to actually manage a "=<" version for each package.

That's one way of ensuring that upstream dependencies don't break your current project. However, even though it's a potential risk I'd instead only a minimum version requirement. For example, vtk>=9.0.

So, at this point you're probably asking, why use dependabot at all since, as you stated, it only works with "pinned down" dependencies.

Oh so Dependabot will only deal with pinned down dependencies.

It works with fully pinned or those with "upper limits" like pyvista <= 0.34.0, which we've established isn't the best practice for run-time dependencies. However, and perhaps it's because I wasn't clear, the only requirements you should pin down should be your testing and documentation dependencies.

By pinning down requirements_test.txt to the latest dependencies, you can ensure that your package works with the latest version of a package as soon as it's released to PyPI. This ensures "the best of both worlds", you can allow for the "latest" package in your install_requires section of setup.py, but you always test with the latest package in your CI/CD. The only thing dependabot does is create PRs that bump your requirements_*.txt dependencies and the workflow will either run or not.

This gives you a chance to either patch the issue due to the upstream changes, or provide an upper bound for your install_requires for that package until you patch it. Either way, you'll have to patch it, and it's much better for a "bot" to tell you that your library can't support the latest version of <some-dependency> rather than your users, because users will always be trying to use the latest version of everything.

Ping me on teams if we need to discuss this further, or if our docs at https://dev.docs.pyansys.com/ need to include this discussion. (actually, there already is an issue at ansys/pyansys-dev-guide#125).

[akaszynski]

FYI: Dependabot won't trigger until this PR is merged.

[akaszynski]

Dependabot will try to upgrade this BTW. If something's breaking, we should support it.

[PProfizi]

@akaszynski Yes, I also think it is a bad idea to restrain the version of matplotlib. This was to check whether the pipeline failure came from this (apparently it does not).