On Sun, Apr 2, 2023 at 10:29 AM Oscar Benjamin <[email protected]> wrote: > > On Sun, 2 Apr 2023 at 02:19, Aaron Meurer <[email protected]> wrote: > > > > On Sat, Apr 1, 2023 at 5:04 AM Oscar Benjamin > > <[email protected]> wrote: > > > > > > On Sat, 1 Apr 2023 at 06:36, Aaron Meurer <[email protected]> wrote: > > > > > > > > On Fri, Mar 31, 2023 at 10:33 PM Jason Moore <[email protected]> > > > > wrote: > > > > > > > > > > When the # of dependencies is large, dependabot is a very annoying > > > > > feature. I contributed to a Javascript lib and the dependabot floods > > > > > your inbox and notifications with useless PRs. It may be ok for us, > > > > > since it is only checking a handful of dependencies and those don't > > > > > change too often. > > > > > > > > We actually have quite a few, assuming we were to pin all of them > > > > > > > > https://github.com/sympy/sympy/blob/master/.github/workflows/runtests.yml#L201-L203 > > > > (there's a few others in this file too, search for "install") > > > > https://github.com/sympy/sympy/blob/master/doc/requirements.txt > > > > > > > > I don't know if there's a tool that lets you easily see how often > > > > these are updated but my guess would be 1-5 updates a week. > > > > > > Yes, but we could set dependabot to just run once a month. We would > > > get a small flurry of updates. Most could just get immediately merged. > > > > > > What would be nie is if there was an alternative to dependabot that > > > could batch all the different dependency updates into a single PR or > > > perhaps a PR for say all doc dependencies so that you know that to > > > review you just need to check the docs build. > > > > It seems that you can configure some of these things: > > > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval > > > > Although it doesn't seem like it can do the thing you suggest where it > > just opens one PR then pushes new stuff to that same PR. > > No, there is an open issue for it: > https://github.com/dependabot/dependabot-core/issues/1190 > > I have figured out though a way that I could automate updates for > requirements.txt files using the create-pull-request action and > pip-upgrader: > https://github.com/marketplace/actions/create-pull-request > https://pypi.org/project/pip-upgrader/ > > With that I can make something that creates pull requests with grouped > updates. My suggestion would be to have it run once per month and open > 3 PRs: > > - Doc build dependencies > - Test dependencies > - Linter dependencies > > We have doc/requirements.txt which could be updated with pip-upgrader. > A PR for that could be reviewed by checking the docs build (including > looking at the generated docs). > > We could have a .github/pip-constraints.txt to pin versions for the > dependencies used in CI test jobs. That could be upgraded in a > separate PR. In this PR any CI failure indicates some sort of bug > either in upstream dependency or that something should be fixed in > sympy to work with the latest version of the dependency. > > If all linting is done by pre-commit then we can use pre-commit > autoupdate to update the versions in the pre-commit config. That could > be a third PR. Here if CI checks fail it means that we should either > fix the lint errors or possibly adjust the lint config depending on > what changes would be needed. > > Are there any other places we might want to pin versions and keep them > up to date automatically? > > Actually there is one which is the actions workflow files themselves > (the versions of the actions that are used). I haven't found something > that can update those offline but we could use dependabot for that or > otherwise there is an action that can do it: > https://github.com/marketplace/actions/github-actions-version-updater > > If we go with this idea then we can have at most 3 PRs per month plus > whatever is needed for the actions workflow files. > > Does that seem reasonable?
I guess we can try it out and see how it works. Aaron Meurer > > -- > Oscar > > -- > You received this message because you are subscribed to the Google Groups > "sympy" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sympy/CAHVvXxQhb9fVHi-GR6Zg3afApuwu2cPXfT_YzZAxWK9Pcq%2BzbA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "sympy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/sympy/CAKgW%3D6Kzc94EX5Gyon_jcfKDZU91g%2BLeohEzb%3D5zGysbwU5EoA%40mail.gmail.com.
