Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: optimize Dependabot config #220

Merged
merged 4 commits into from
Apr 21, 2024
Merged

feat: optimize Dependabot config #220

merged 4 commits into from
Apr 21, 2024

Conversation

lsorber
Copy link
Member

@lsorber lsorber commented Apr 2, 2024
edited
Loading

Before this PR: the Dependabot configuration is suboptimal because it doesn't differentiate well between applications and packages, and because it doesn't group updates to reduce the number of PRs.

After this PR:

  • For Python applications and packages:
    • Every month, Dependabot will create a single PR for all direct development dependency updates. This PR will bump the minimum version of these dependencies in pyproject.toml.
    • Every month, Dependabot will create a single PR for all transitive dependency updates (of both production & development dependencies). This PR only updates the lockfile.
  • For Python applications:
    • Every month, Dependabot will create a single PR for all direct production dependency updates. This PR will bump the minimum version of these dependencies in pyproject.toml.
  • For GitHub Actions:
    • The current CI dependencies are updated to the latest versions.
    • Dependabot will create a single PR for all CI dependency updates per month.

EDIT: Dependabot unfortunately has a number of limitations currently that prevent us from grouping transitive dependency updates and using a different versioning strategy for them. I've updated the scope of this PR's changes above.

@lsorber lsorber requested a review from sinopeus April 2, 2024 07:30
@lsorber lsorber self-assigned this Apr 2, 2024
sinopeus
sinopeus reviewed Apr 19, 2024
View reviewed changes
Copy link
Collaborator

@sinopeus sinopeus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but @lsorber will test this first in the demo package.

@lsorber lsorber force-pushed the ls-optimize-dependabot branch from 61a7893 to a7d6d6e Compare April 19, 2024 13:12
@lsorber
Copy link
Member Author

lsorber commented Apr 19, 2024

LGTM but @lsorber will test this first in the demo package.

After testing, I encountered some limitations on the way Dependabot can be configured. I updated this PR to conform with those limitations and also updated the changes in the PR's description above.

@lsorber lsorber merged commit 8ab7ee0 into main Apr 21, 2024
4 checks passed
@lsorber lsorber deleted the ls-optimize-dependabot branch April 21, 2024 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sinopeus sinopeus sinopeus approved these changes

Assignees

@lsorber lsorber

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lsorber @sinopeus