Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have added dependabot. It should work automatically once this pull request is accepted.
Please do not finish it, we will get around 10 PRs immediately, so let's discuss how we deal with this at a meeting before we finish the PR.
The PRs that dependabot creates include the change log and commits for the updated packages, so it is a nice place to get an overview of whether anything fundamental has changed that we need to consider. While it can also help with catching security risks, it there are other tools that are better for that (e.g. CodeQL).
I have added two update tasks,
pip
andgithub-actions
.pip
scans for all updates on our immediate dependencies. I suggest most of these should just be closed, not merged, but it is nice to get a heads up for any updates we need to react on or otherwise consider. I am not sure how it works when we don't have any requirements on those packages. Perhaps we should add a minimum version? ">=1.0.0" should be safe for most packages, right? And is more restrictive than what we do now, so it shouldn't break anything that isn't already broken.github-actions
scans for updates to github actions. We use these as part of our workflows/github actions, e.g. to check out the repo, install python, and once we get it set up, to upload new versions to pypi. I would suggest we merge these PRs by default, since there is no risk of breaking anything except our workflows by updating.I have set the update frequency to both to monthly, meaning that new PRs are created on the first of the month. I don't think we have anything that is more urgent than that, and that allows us to go over them at a meeting if we so desire.
I have let the number of PRs be at the default. From the documentation
I think it is five per update task, so five for
pip
, and five forgithub-actions
.We can evaluate whether to increase this when we have some experience with the tool. If there are five new every month, we need to up it.
I have hard-coded Søren, Søren and Morten as assignees to flag us of the PRs. This should ideally be a group, but I can't get groups to work (at least not with the CLI), so it will have to be individuals at the moment. We can remove this, it isn't need to have, just nice to have.
closes #218