How to use different features of GitHub and GitLab.
To be added as a member of the UGA Libraries institutional GitHub account:
- Set up an individual GitHub account
- Email your GitHub name to the Head of Digital Stewardship
- Accept the invitation sent to the email address associated with your GitHub account
If you are no longer using or maintaining code, you may want to archive or delete it. In most cases, archive the repository so we have a record of the past project. This will make the repository read-only and it will be clear that it is no longer being maintained.
You might delete a repository if:
- There are security risks with keeping the repository publicly available. These risks could include:
- Sensitive code like internal URLs, usernames, passwords
- Packages prone to security risks (requests, lxml, others)
- The repository is minimal, meaning there isn’t much code or involved processes.
- The code lives somewhere else that is being updated/monitored.
Archiving a repository will make it read-only. Prior to archiving, update the README with the status of the project and why it was archived.
Deleting a repository will remove all code, processes, and content from a project.
Dependabot is a GitHub feature that automatically checks your packages/libraries listed in your requirements.txt file for any updates and can update them via automatically generated pull requests. This helps maintain your repo from security issues and stay on the latest versions of your dependencies.
See the Dependabot quickstart guide for more info.
- Navigate to the GitHub repository you add Dependabot to.
- Go to the Insights tab > Dependency graph > Dependabot tab. *** You can also do this through Settings > Code Security and analysis > Dependabot. This option will allow more granularity on what kinds of alerts you want to include.
- Click the "Enable Dependabot" button as seen below. This will automatically create a .github folder in your repository and a dependabot.yml file within that folder.
- You'll be taken to the dependabot.yml file where you can fill out the appropriate settings
(see Configuration Options for Dependency Updates
for more info). The settings we typically use include:
- package-ecosystem: "pip"
- directory: "/" - if you have a requirements.txt file at the top level of your repo, it should grab that
- schedule: interval: "weekly"
- Commit changes in the top right corner to save your settings.
- You should now receive dependabot pull requests to update your dependencies.
See About pull request merges for more info.
If enabled, Dependabot will automatically generate pull requests to update any dependencies once a new version is released. To merge these pull requests, use the following:
- Navigate to the Pull requests tab at the top left of your repository's GitHub page.
- Select the pull request you want to merge.
- Review the pull request to make sure you want to make this change. You can select the Files changed tab to see what the pull request will change as part of your code.
- Click "Merge pull request" or select one of 3 options in the green drop down box (recommend Squash and merge).
- Create a merge commit - all commits will be added from this pull request and changes merged into your base (main) branch.
- Squash and merge (recommended) - condense all commits into one commit and merge the changes into your base (main) branch.
- Rebase and merge - all commits from the pull request are added to the base (main) branch individually (see Rebase and merge your commits).
- After selecting your commit and merge option, the requirements.txt file should be updated with the new pull request on your base (main) branch and commit(s) added to your commit history.