On Sun, 2 Apr 2023 at 02:19, Aaron Meurer <[email protected]> wrote: > > On Sat, Apr 1, 2023 at 5:04 AM Oscar Benjamin > <[email protected]> wrote: > > > > On Sat, 1 Apr 2023 at 06:36, Aaron Meurer <[email protected]> wrote: > > > > > > On Fri, Mar 31, 2023 at 10:33 PM Jason Moore <[email protected]> wrote: > > > > > > > > When the # of dependencies is large, dependabot is a very annoying > > > > feature. I contributed to a Javascript lib and the dependabot floods > > > > your inbox and notifications with useless PRs. It may be ok for us, > > > > since it is only checking a handful of dependencies and those don't > > > > change too often. > > > > > > We actually have quite a few, assuming we were to pin all of them > > > > > > https://github.com/sympy/sympy/blob/master/.github/workflows/runtests.yml#L201-L203 > > > (there's a few others in this file too, search for "install") > > > https://github.com/sympy/sympy/blob/master/doc/requirements.txt > > > > > > I don't know if there's a tool that lets you easily see how often > > > these are updated but my guess would be 1-5 updates a week. > > > > Yes, but we could set dependabot to just run once a month. We would > > get a small flurry of updates. Most could just get immediately merged. > > > > What would be nie is if there was an alternative to dependabot that > > could batch all the different dependency updates into a single PR or > > perhaps a PR for say all doc dependencies so that you know that to > > review you just need to check the docs build. > > It seems that you can configure some of these things: > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval > > Although it doesn't seem like it can do the thing you suggest where it > just opens one PR then pushes new stuff to that same PR.
No, there is an open issue for it: https://github.com/dependabot/dependabot-core/issues/1190 I have figured out though a way that I could automate updates for requirements.txt files using the create-pull-request action and pip-upgrader: https://github.com/marketplace/actions/create-pull-request https://pypi.org/project/pip-upgrader/ With that I can make something that creates pull requests with grouped updates. My suggestion would be to have it run once per month and open 3 PRs: - Doc build dependencies - Test dependencies - Linter dependencies We have doc/requirements.txt which could be updated with pip-upgrader. A PR for that could be reviewed by checking the docs build (including looking at the generated docs). We could have a .github/pip-constraints.txt to pin versions for the dependencies used in CI test jobs. That could be upgraded in a separate PR. In this PR any CI failure indicates some sort of bug either in upstream dependency or that something should be fixed in sympy to work with the latest version of the dependency. If all linting is done by pre-commit then we can use pre-commit autoupdate to update the versions in the pre-commit config. That could be a third PR. Here if CI checks fail it means that we should either fix the lint errors or possibly adjust the lint config depending on what changes would be needed. Are there any other places we might want to pin versions and keep them up to date automatically? Actually there is one which is the actions workflow files themselves (the versions of the actions that are used). I haven't found something that can update those offline but we could use dependabot for that or otherwise there is an action that can do it: https://github.com/marketplace/actions/github-actions-version-updater If we go with this idea then we can have at most 3 PRs per month plus whatever is needed for the actions workflow files. Does that seem reasonable? -- Oscar -- You received this message because you are subscribed to the Google Groups "sympy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/sympy/CAHVvXxQhb9fVHi-GR6Zg3afApuwu2cPXfT_YzZAxWK9Pcq%2BzbA%40mail.gmail.com.
