diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2c7d1708..9ecc51dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,3 +5,7 @@ updates: directory: "/" schedule: interval: "daily" + groups: + actions: + patterns: + - "*" diff --git a/README.md b/README.md index c6cb5bdf..cb901948 100644 --- a/README.md +++ b/README.md @@ -348,6 +348,7 @@ for family, grp in itertools.groupby(collected.checks.items(), key=lambda x: x[1 - [`GH200`](https://learn.scientific-python.org/development/guides/gha-basic#GH200): Maintained by Dependabot - [`GH210`](https://learn.scientific-python.org/development/guides/gha-basic#GH210): Maintains the GitHub action versions with Dependabot - [`GH211`](https://learn.scientific-python.org/development/guides/gha-basic#GH211): Do not pin core actions as major versions +- [`GH212`](https://learn.scientific-python.org/development/guides/gha-basic#GH212): Require GHA update grouping ### MyPy - [`MY100`](https://learn.scientific-python.org/development/guides/style#MY100): Uses MyPy (pyproject config) diff --git a/docs/pages/guides/gha_basic.md b/docs/pages/guides/gha_basic.md index 33579b07..20f54382 100644 --- a/docs/pages/guides/gha_basic.md +++ b/docs/pages/guides/gha_basic.md @@ -142,14 +142,20 @@ updates: directory: "/" schedule: interval: "weekly" + groups: + actions: + patterns: + - "*" ``` This will check to see if there are updates to the action weekly, and will make a PR if there are updates, including the changelog and commit summary in the PR. If you select a name like `v1`, this should only look for updates of the same form (since April 2022) - there is no need to restrict updates for "moving tag" -updates anymore {% rr PY006 %}. You can also use SHA's and dependabot will -respect that too. +updates anymore {% rr GH211 %}. You can also use SHA's and dependabot will +respect that too. And `groups` will combine actions updates {% rr GH212 %}, +which is both cleaner and sometimes required for dependent actions, like +`upload-artifact`/`download-artifact`. You can use this for other ecosystems too, including Python. diff --git a/src/sp_repo_review/checks/github.py b/src/sp_repo_review/checks/github.py index b09edcf5..c3d22c65 100644 --- a/src/sp_repo_review/checks/github.py +++ b/src/sp_repo_review/checks/github.py @@ -149,7 +149,11 @@ def check(dependabot: dict[str, Any]) -> bool: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "weekly" + groups: + actions: + patterns: + - "*" ``` """ for ecosystem in dependabot.get("updates", []): @@ -179,5 +183,34 @@ def check(dependabot: dict[str, Any]) -> bool: return True +class GH212(GitHub): + "Require GHA update grouping" + + requires = {"GH200", "GH210"} + url = mk_url("gha-basic") + + @staticmethod + def check(dependabot: dict[str, Any]) -> bool: + """ + Projects should group their updates to avoid extra PRs and stay in sync. + This is now supported by dependabot since June 2023. + + ```yaml + groups: + actions: + patterns: + - "*" + ``` + """ + + for ecosystem in dependabot.get("updates", []): + if ( + ecosystem.get("package-ecosystem", "") == "github-actions" + and "groups" not in ecosystem + ): + return False + return True + + def repo_review_checks() -> dict[str, GitHub]: return {p.__name__: p() for p in GitHub.__subclasses__()} diff --git a/{{cookiecutter.project_name}}/.github/dependabot.yml b/{{cookiecutter.project_name}}/.github/dependabot.yml index 6fddca0d..6c4b3695 100644 --- a/{{cookiecutter.project_name}}/.github/dependabot.yml +++ b/{{cookiecutter.project_name}}/.github/dependabot.yml @@ -5,3 +5,7 @@ updates: directory: "/" schedule: interval: "weekly" + groups: + actions: + patterns: + - "*"