Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add Github action to auto merge dependabot and pyup security updates if all tests pass. #2852

Closed
arnav13081994 opened this issue Sep 23, 2020 · 5 comments
Closed

Add Github action to auto merge dependabot and pyup security updates if all tests pass. #2852

arnav13081994 opened this issue Sep 23, 2020 · 5 comments
Labels
enhancement

Comments

@arnav13081994
Copy link
Contributor

Description

What are you proposing? How should it be implemented?

I propose to add a new GitHub action or job that will auto merge pull requests from the pyup bot and the dependabot should the PR so created has no merge conflicts with master and all tests also pass.

This will be very similar to how pre-commit tool versions in the repo root are kept up to date.

Rationale

Why should this feature be implemented?

This would make updating requirements easier and more automated and would likely also make the project more secure. The tests are used to make the decision to merge updates from dependabot and pyup right now anyway.
@browniebroke
Copy link
Member

I didn't know we could do that with Github actions. That sounds interesting!

I sometimes tested some updates for libraries which are production only, but I do this less often these days.

@arnav13081994
Copy link
Contributor Author

I can always make it so that it runs only on requirements in 'requirements/local.txt' but then not sure how useful would automated security updates etc would be. Let me know what works best.

@Andrew-Chen-Wang
Copy link
Contributor

Andrew-Chen-Wang commented Sep 28, 2020
edited
Loading

@browniebroke You can just go into GitHub marketplace and add dependabot-preview. Then you can select the repo, select which requirements files you want, choose the labels you want, and it'll auto update, just like how pyup does it. You can see the outcome here where dependabot just litters my repo with updates to botocore and boto3 lmao.

You can find more info on configuring the auto merge here: https://dependabot.com/docs/config-file/#automerged_updates

If I'm not wrong, since GitHub bought dependabot, I think you don't even need to register in dependabot. You can just create their .dependabot.yaml file... somewhere... I can't remember.

@Andrew-Chen-Wang Andrew-Chen-Wang mentioned this issue Oct 1, 2020
Closed
@browniebroke
Copy link
Member

As I mentioned in the pull request, dependabot is out of scope of this IMO, as it doesn't work well with cookiecutter templated files. Dependabot preview is the old version, before Github integrated it. The native Dependabot doesn't need to be enabled, uses a different config file and is part of GitHub docs.

@Andrew-Chen-Wang Andrew-Chen-Wang mentioned this issue Oct 1, 2020
Closed
@Andrew-Chen-Wang
Copy link
Contributor

I think this issue can be closed with the comments from #2872

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
3 participants
@browniebroke @arnav13081994 @Andrew-Chen-Wang