-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: add dependabot.yml to auto-update dependencies #236
Conversation
GH actions and lint requirements will be try to be updated in autogenerated PRs.
@@ -0,0 +1,13 @@ | |||
version: 2 | |||
updates: | |||
- package-ecosystem: "pip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part will basically mimic the tip targets in Jenkins by creating a PR with updated dependencies and the added benefit of:
- If the build passes, we can straight merge those PRs.
- If it does not, we see that some style needs to be fixed.
If we try and like this approach, then we could remove the tip jobs in Jenkins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is false, because tip targets check against the last version of python.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this approach, but I can't find documentation on which requirement files dependabot will update, at least not in [1]. Will it update dev/requirements.txt
and test-requirements.txt
? Do you happen to have a reference for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAICT, at the moment one only can specify the directory to search the manifest files and dependabot
will discover them there. That's why I put the file under dev/
and configure it in line 4.
I found some discussions explaining that behavior as for example: dependabot/dependabot-core#3940 (comment)
The source code is here: https://github.com/dependabot/dependabot-core/blob/main/python/helpers/lib/parser.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Found it, apparently it probes **/.txt
:
requirement_files = glob.glob(os.path.join(directory, '*.txt')) \
+ glob.glob(os.path.join(directory, '**', '*.txt'))
Thanks for digging it up!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
@aciba90 is this actually still a draft? |
Ready! Thanks, @paride for the review. I wanted to make sure that the default configuration does not auto-merge PRs or anything weird. Checked and it looks safe: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates I am going to ping other as reviewers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
GH actions and lint requirements will be try to be updated in autogenerated PRs.