Support bumping dependencies in .pre-commit-config.yml

[sloria]

pre-commit is a popular tool for managing git hooks. It has a YAML based config that allows specifying hook-specific dependencies, like so.

When one of these dependencies gets updated in the setup.py for my repositories, I currently have to manually update the version in .pre-commit-config.yml: marshmallow-code/marshmallow-jsonapi#286

It would be great if Dependabot could automate these updates.

[hugovk]

Duplicate of #1524.

[sfdye]

Shall we merge with #1524 to track in one issue?

[sloria]

This issue isn't exactly the same as #1524. I'm proposing that additional_dependencies within .pre-commit-config.yaml (like here get updated just as setup.py and requirements.txt do, whereas #1524 is proposing that the actual pre-commit hook versions get updated.

[BeyondEvil]

Any news on this?

[lafrech]

Just found this GH action. Could be a workaround.

https://github.com/marketplace/actions/pre-commit-autoupdate

I haven't tested yet.

[scop]

https://github.com/marketplace/actions/pre-commit-autoupdate
A Github action to run pre-commit autoupdate

That does not touch additional_dependencies.

[scop]

FWIW with some "creative" .pre-commit-config.yaml formatting, Renovate can be tricked into doing this. I'm seeing success with that setup in a few projects, here's one example:

https://github.com/scop/hashpipe/blob/eb11f6c676803aeed04181c786e7a1750f882371/.pre-commit-config.yaml
https://github.com/scop/hashpipe/blob/eb11f6c676803aeed04181c786e7a1750f882371/renovate.json

[chopeen]

You can also configure a custom regex manager - renovatebot/renovate#10055 (comment).

[ddelange]

This issue isn't exactly the same as #1524. I'm proposing that additional_dependencies within .pre-commit-config.yaml (like here get updated just as setup.py and requirements.txt do, whereas #1524 is proposing that the actual pre-commit hook versions get updated.

this requires dependency resolution, within the additional_dependencies, and ideally including the dependencies of the hook itself.

pip recently introduced a --dry-run --report functionality for such use-cases. I'm already happily using it in pipgrip (ddelange/pipgrip#113) and it would probably be your go-to for this issue as well.

[ddelange]

this was rejected upstream by the way due to various blockers: pre-commit/pre-commit#1351 (comment)

you could implement it such that this new mechanic only kicks in if:

• all strings in the additional_dependencies field are in format pkg==version.
• it's a python based pre-commit hook.
  • you could verify this is checking whether all URLs in format https://pypi.org/project/<pkg>/<version>/ for the additional_dependencies redirect to a 200 status code.
  • there is probably a more robust way to verify this. something like inspecting the language key in the particular hook id in the hook repo's .pre-commit-hooks.yaml file.

[carez]

My workaround is to install the packages using requirements-dev.txt (which is maintained by dependabot) and then run pre-commit local hooks like this:

$ cat .pre-commit-config.yaml 
repos:
-   repo: local
    hooks:
    -   id: black
        name: black
        entry: black
        language: system
        types_or: [python, pyi]
        require_serial: true
    -   id: flake8
        name: flake8
        entry: flake8
        language: system
        types: [python]
        require_serial: true
    -   id: mypy
        name: mypy
        entry: mypy
        args: ["--ignore-missing-imports", "--scripts-are-modules"]
        language: system
        types_or: [python, pyi]
        require_serial: true
    -   id: isort
        name: isort
        entry: isort
        args: ["--profile", "black"]
        language: system
        types_or: [cython, pyi, python]
        require_serial: true