Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to GitHub Dependabot #402

Merged
merged 7 commits into from
Jul 9, 2020

Conversation

staticdev
Copy link
Contributor

Closes #347

@cjolowicz
Copy link
Owner

cjolowicz commented Jun 21, 2020

Thanks for the PR (and your patience 😊)! This is definitely something that needs to happen. But there are still a lot of open questions:

  • What is the correct onboarding for the new Dependabot feature? Your documentation changes suggest that users should still create an account at Dependabot and install their app, but it seems that this is obsolete because they would end up with the superceded preview app. The step you added is recommended for users who are upgrading from the preview Dependabot, right? In summary, the documented steps should work for all users. This is particularly tricky as the feature is still in Beta and subject to changes at short notice.
  • The Dependabot badge in upgraded projects shows that Dependabot is inactive (last I checked). How can we fix this to show the correct Dependabot status?
  • Can the open-pull-requests-limit setting be omitted, to go with the default? I saw something, maybe in the GitHub docs, that suggests it can.
  • Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
  • It looks like the new Dependabot picks up docs/requirements.txt when scanning from /? If so, the pip:docs section can be removed.
  • If we rename .github/workflows/constraints.txt to, say, .github/requirements.txt (see Manage Python requirements of GH Actions with Dependabot retrocookie#106, which I was planning to port to the template), it looks like the new Dependabot picks it up when scanning from /. If so, the pip:.github section can be removed. However, while the Dependabot tab in GitHub suggests that the file is tracked, the update logs indicate that entries in .github/requirements.txt are not processed.

@staticdev
Copy link
Contributor Author

staticdev commented Jun 21, 2020

You made very good observations. I don't have a definitive answer to all of them but I will tell what I know from the 6 repos that I own and are using the configs on the proposed PR #402 and #401.

  • You are correct. There is no need anymore for steps 1 and 2 as it went native and GA in Github (I should remove that on a new commit). Also, the step 3 is an automerge feature for security vulnerable dependencies and are also not necessary if you consider using an automerge workflow proposed on the complimentary PR WIP: Automerge workflow #401.
  • I didn't notice about the badge, and you are also right. I found an open issue for that Update badges to be compatible with the new native GitHub Dependabot dependabot/dependabot-core#1912, they would be fixing that soon. They are already tracking this here: dependabot/feedback#968
  • Open pull-request limit and also schedule.time are automatic configs by Dependabot, if you migrate a dependabot-preview repo using their script (on dependabot.com) it is automatically added. I just stuck with the defaults here. But I've forwarded these questions directly to their staff here.
  • I'm not sure about that. We have to test, but I think a section in config will still be needed as package-ecosystem: github-actions is just for Github Actions versions and for requirements.txt or constants.txt we need package-ecosystem: pip.

UPDATE: Github staff responded the remaining questions:

  • Can the open-pull-requests-limit setting be omitted, to go with the default?
    Yup, the default is 5

  • Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
    This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

@cjolowicz
Copy link
Owner

Thank you so much for the research.

@cjolowicz
Copy link
Owner

cjolowicz commented Jul 8, 2020

While some things are still in motion here, I went ahead and switched the Cookiecutter repository itself to GitHub Dependabot. Following the official flow, I did the following:

  • Opt in to Dependabot security updates (Security > Dependabot alerts > Dependabot security updates).
  • Request the Dependabot PR Update Dependabot config file #431 via the Dependabot.com dashboard
  • Apply your patch to format the YAML code with Prettier
  • Configure the schedule timezone and pull request labels

I credited you as a co-author on the Dependabot PR, and merged it.

As far as I can see, the following still needs to happen here (not saying you have to do this, but you are welcome to 😄):

For now, let's not remove the configuration sections for the requirements files under docs and .github. Judging from Dependabot's behavior on another repository, it does not send pull requests for these files without the configuration sections (even though the files are listed on Insights > Dependency Graph > Dependabot).

@cjolowicz cjolowicz added ci Changes to CI configuration files and scripts enhancement New feature or request labels Jul 8, 2020
@cjolowicz cjolowicz added this to the 2020.7.15 milestone Jul 8, 2020
Update legacy documentation

Fix extra space on YAML

Fix other space pre-commit didn't get
@staticdev staticdev force-pushed the upgrade-dependabot branch from 9631098 to 2a16143 Compare July 8, 2020 20:46
@staticdev
Copy link
Contributor Author

staticdev commented Jul 8, 2020

@cjolowicz done. About the badge issue, one alternative to waiting is removing it from READMEs until the issue is fixed.

Copy link
Owner

@cjolowicz cjolowicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excited that this becoming a thing 💯 and thanks again for doing the work! I left a few small suggestions for the changes to the User Guide.

I agree with you that we can simply remove the Dependabot badge for now. Let's do that.

Can you please also revert all the changes to the top-level .github/dependabot.yml? I think this file is fine the way #431 added it. Sorry for not expressing this more clearly earlier.

docs/guide.rst Outdated Show resolved Hide resolved
docs/guide.rst Outdated Show resolved Hide resolved
docs/guide.rst Outdated Show resolved Hide resolved
docs/guide.rst Outdated Show resolved Hide resolved
docs/guide.rst Outdated Show resolved Hide resolved
Thiago C. D'Ávila and others added 2 commits July 9, 2020 11:54
@staticdev staticdev requested a review from cjolowicz July 9, 2020 15:34
Copy link
Contributor Author

@staticdev staticdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@cjolowicz cjolowicz changed the title Upgrade dependabot Upgrade to GitHub Dependabot Jul 9, 2020
@cjolowicz cjolowicz merged commit ba98ec1 into cjolowicz:master Jul 9, 2020
@staticdev staticdev deleted the upgrade-dependabot branch July 9, 2020 21:56
@staticdev
Copy link
Contributor Author

Hooray!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci Changes to CI configuration files and scripts enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

dependabot-preview upgrade
2 participants