Enable Dependabot support for the package

This enables Dependabot to run every Tuesday at 10 AM (Stanford time), and notify us (by pull request) if a dependency has done an update. It's then on us to check if the update mandates a bump in our minimum required version for the dependency. Kudos to dependabot/dependabot-core#2133, dependabot/dependabot-core#2281, and dependabot/dependabot-core#3423 for enabling Dependabot support with `python.cfg` files!
stanford-rc · Jul 6, 2021 · 4c52b48 · 4c52b48
1 parent a16cffa
commit 4c52b48
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+# This configures Dependabot to monitor the package, and open pull requests
+# when dependencies update.
+#
+# Whenever an update happens, it's on us to check the changelog of the update,
+# and determine if we need to bump the minimum required version of the
+# dependency.  After that, we'll need to do a new release.
+#
+# Thanks to https://github.com/dependabot/dependabot-core/issues/2133,
+# https://github.com/dependabot/dependabot-core/pull/2281, and
+# https://github.com/dependabot/dependabot-core/pull/3423; as of about two
+# months ago Dependabot now supports python.cfg files, so we can use it!
+
+# For configuration format, see
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#directory
+version: 2
+
+# We have a single pip ecosystem.
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+
+    # Do checks at 10AM on Tuesdays, Stanford-time
+    schedule:
+      interval: daily
+      day: "tuesday"
+      time: "10:00"
+      timezone: "US/Pacific"
+
+    # Ping Karl directly for review
+    assignees:
+      - "akkornel"