-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bring back dependabot #1864
Bring back dependabot #1864
Conversation
Thank you for contributing to PlasmaPy! The project's future depends deeply on contributors like you, so we deeply appreciate it! 🌱 The following checklist will be used by the code reviewer to help guide the code review process.
|
# Maintain dependencies for GitHub Actions | ||
- package-ecosystem: github-actions | ||
directory: / | ||
schedule: | ||
interval: weekly |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Figured we might as well add these, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay for automation!
Codecov ReportBase: 98.31% // Head: 98.29% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #1864 +/- ##
==========================================
- Coverage 98.31% 98.29% -0.02%
==========================================
Files 95 95
Lines 8404 8409 +5
==========================================
+ Hits 8262 8266 +4
- Misses 142 143 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
The pre-commit.ci failure seems unrelated. I think we can remove it from |
Should we take this approach, then we might want to update the list of CI checks that are required before merging, and not require the other tests that might have spontaneous failures due to upstream package changes. That'd make it so that weird spontaneous failures are less likely to block PRs from being merged. Thank you for doing this! |
|
I removed temporarily the requirement for the Documentation job, as it's been renamed. |
|
Welp. I tried installing the combining requirements.txt file and it already has issues on docutils:
So let's go with a single file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I only have one minor reST edit as a suggestion for this PR. I'm happy to try it out!
- package-ecosystem: pip | ||
directory: / | ||
schedule: | ||
interval: daily # TODO s/daily/weekly once dependabot has settled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's good to start out with daily for the time being, while making sure that dependabot is working as expected.
I had been leaning towards going with monthly in the long-term, but the more I think about it, weekly would probably be best. In particular, having this be monthly would increase the chances of us having to deal with more than one thing breaking in a single PR. And too often in my experience...doubling the problems that we have to deal with more than doubles the effort needed to fix the combined problems.
Co-authored-by: Nick Murphy <namurphy@cfa.harvard.edu>
This closes #1861, where the motivation is also laid out. The setup follows https://www.b-list.org/weblog/2022/may/13/boring-python-dependencies/, https://iscinumpy.dev/post/bound-version-constraints/ and dependabot/dependabot-core#3290.
To quote from that last link there:
The lockfile concept is the answer to all my doubts from #1861. Essentially, I was right upper pinning dependencies is problematic; but it is not the only way to ensure tests are ran with a particular set of dependencies. Instead, tools (classically poetry, more recently
pip-compile
) can inspect requirements, e.g. lower and upper bounds on package versions, and create a lockfile, which is basically "at this time, the most recent set of packages that solves all of these constraints". A single point in dependency space right at the bound of the allowed region.Essentially, the process goes like:
pyproject.toml
pip-compile --resolver=backtracking --all-extras
frompip-tools
to generate arequirements.txt
file that pins everything to specific versions, here's an excerpt:This might need a "merge first, adjust later" approach for the actual dependabot part.