You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because we're using pip-compile-multi we – like others within the org and beyond – are finding that repos using multiple dependency files aren't being processed as we'd expect by Dependabot. eg dependabot/dependabot-core#536
To mitigate this, we can at least run our own workflow as a Github Action that runs pip list -o to at least warn us of stale deps. Ideally, it would also make PRs for them.
It could even be implemented separate from mozilla/bedrock so that other repos (Basket, Nucleus + other parts of Mozilla) can also use it.
(Equally, if there's an action that already does all of what we're talking about, we should consider forking and adopting it)
Success Criteria
Github Action exists that runs pip list -o and notifies the team about all outdated dependencies (that aren't in an ignorelist)
An ignorelist of dependency versions is allowed, suporting both major, minor and patch versions. This should be easy/lightweight to add to, but does not need to mimic Dependabot's comment-driven control
The custom action lives in its own repository, so it can be installed by other repos.
Stretch goals
PRs with updated dependencies should be created
The text was updated successfully, but these errors were encountered:
Description
Because we're using
pip-compile-multi
we – like others within the org and beyond – are finding that repos using multiple dependency files aren't being processed as we'd expect by Dependabot. eg dependabot/dependabot-core#536To mitigate this, we can at least run our own workflow as a Github Action that runs
pip list -o
to at least warn us of stale deps. Ideally, it would also make PRs for them.It could even be implemented separate from
mozilla/bedrock
so that other repos (Basket, Nucleus + other parts of Mozilla) can also use it.Note: https://github.com/peterdemin/pip-compile-multi/blob/master/.github/workflows/pipcompilemulti.yml is a similar idea, from the author of
pip-compile-multi
to get around the problem. We would not be able to rely on using a third-party GH Action (unless it's on our approved list), but we can likely fork one or write our own.(Equally, if there's an action that already does all of what we're talking about, we should consider forking and adopting it)
Success Criteria
pip list -o
and notifies the team about all outdated dependencies (that aren't in an ignorelist)Stretch goals
The text was updated successfully, but these errors were encountered: