Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dependabot): ✨ add dependabot for updating Python dependencies #444

Merged
merged 1 commit into from
May 24, 2024
Merged

feat(dependabot): ✨ add dependabot for updating Python dependencies #444

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: pip
directory: /
schedule:
interval: weekly
versioning-strategy: increase-if-necessary
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To update the version constraint in the manifest file only if the new version is not in range. Seems like some people prefer this because it leads to fewer updates on the whole, but I don't have any deeper insight

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work for poetry managed projects? There is no manifest file for poetry projects.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I thought pyproject.toml was the ?equivalent of the? manifest file. In any case, with increase-if-necessary pyproject.toml will only be updated if the new version is outside the range specified in pyproject.toml.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, it seems that it only updates the poetry lock file: dependabot/dependabot-core#8603 which seems to be waiting on python-poetry/poetry-core#708

Maybe we wait a bit for those PRs to be merged, since it doesn't make sense to only update the lock file and not the pyproject.toml file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, but then I'm a bit confused about why it updated both of them in my test repo (e.g. if you look at this PR). Or am I looking at the wrong thing?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, that is super odd... What's the open issues for then?? Well, let's just try it out and see how it works 😋😋

commit-message:
prefix: build
martonvago marked this conversation as resolved.
Show resolved Hide resolved
include: scope