From 702cfed222e05c59289a84384ab8060593ffa933 Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 23 May 2024 14:56:50 +1000 Subject: [PATCH 1/6] Dependabot config for plugin template and new child plugins --- .github/dependabot.yml | 13 +++++++++++++ .../.github/dependabot.yml | 15 +++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 {{cookiecutter.plugin_name}}/.github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..39d6696 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Dependabot configuration +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-github-dependabot-version-updates +# https://til.simonwillison.net/github/dependabot-python-setup +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: weekly + groups: + python-packages: + patterns: + - "*" \ No newline at end of file diff --git a/{{cookiecutter.plugin_name}}/.github/dependabot.yml b/{{cookiecutter.plugin_name}}/.github/dependabot.yml new file mode 100644 index 0000000..6bae182 --- /dev/null +++ b/{{cookiecutter.plugin_name}}/.github/dependabot.yml @@ -0,0 +1,15 @@ +# Dependabot configuration +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-github-dependabot-version-updates +# https://til.simonwillison.net/github/dependabot-python-setup +{% raw %} +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: weekly + groups: + python-packages: + patterns: + - "*" +{% endraw %} \ No newline at end of file From fdbb117dc3ec9832687f4b0059a1956e0165da25 Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 23 May 2024 15:11:57 +1000 Subject: [PATCH 2/6] Add docs about how to enable Dependabot in your github settings --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index b76cbb0..bb23dfb 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,12 @@ git commit -m 'initial commit' git push -u origin main ``` +### Enable Dependabot security updates + +You can use [Dependabot](https://docs.github.com/en/code-security/dependabot) security updates to easily update vulnerable dependencies. + +[Here's how to enable Dependabot in your github settings](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). Your Dependabot configuration file is located at `.github/dependabot.yml`. + ### Monitor testing and coverage The repository should already be setup to run your tests each time you push an From bf5b73b15e69dbf591712b4518584d1f2f51202c Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 6 Jun 2024 14:14:20 +1000 Subject: [PATCH 3/6] Set dependabot interval to longest possible, i.e. monthly --- .github/dependabot.yml | 2 +- {{cookiecutter.plugin_name}}/.github/dependabot.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 39d6696..9742139 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: - package-ecosystem: pip directory: "/" schedule: - interval: weekly + interval: monthly groups: python-packages: patterns: diff --git a/{{cookiecutter.plugin_name}}/.github/dependabot.yml b/{{cookiecutter.plugin_name}}/.github/dependabot.yml index 6bae182..0946bd1 100644 --- a/{{cookiecutter.plugin_name}}/.github/dependabot.yml +++ b/{{cookiecutter.plugin_name}}/.github/dependabot.yml @@ -7,7 +7,7 @@ updates: - package-ecosystem: pip directory: "/" schedule: - interval: weekly + interval: monthly groups: python-packages: patterns: From f9f1616b03b7ded61b9149a7c715e7b01fe9dbe5 Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 6 Jun 2024 14:15:32 +1000 Subject: [PATCH 4/6] Add dependabot question to cookiecutter, remove files if option is not requested --- cookiecutter.json | 1 + hooks/post_gen_project.py | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/cookiecutter.json b/cookiecutter.json index c0e80f1..4ffc834 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -13,6 +13,7 @@ "include_widget_plugin": "y", "use_git_tags_for_versioning": "n", "install_precommit": "n", + "install_dependabot": "n", "license": [ "BSD-3", "MIT", diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py index 7bc2ee8..2eed4b9 100644 --- a/hooks/post_gen_project.py +++ b/hooks/post_gen_project.py @@ -32,6 +32,10 @@ def remove_unrequested_plugin_examples(): remove_file(f"src/{module}/_{name}.py") remove_file(f"src/{module}/_tests/test_{name}.py") logger.debug(f"removing {module}/_{name}.py") + # remove dependabot config if unrequested + {% elif key.startswith("install_dependabot") and value != 'y' %} + remove_file(".github/dependabot.yml") + logger.debug("removeing .github/dependabot.yml") {% endif %} {% endfor %} From a2c7e7efea39ac31bf623977bfbac5bc5c7115ee Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 6 Jun 2024 14:26:55 +1000 Subject: [PATCH 5/6] Add documentation about the dependabot config option --- PROMPTS.md | 16 ++++++++++++++++ README.md | 12 ++++++------ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/PROMPTS.md b/PROMPTS.md index 08e2c01..794aa3d 100644 --- a/PROMPTS.md +++ b/PROMPTS.md @@ -143,6 +143,22 @@ In order to use this option, you must run `git init` once in your package's root directory. ``` +## install_precommit + +The default for this prompt is `"n"`. + +If you choose "y" for this prompt, then [pre-commit](ttps://pre-commit.com/) will be installed. +Among other things, it includes checks for code linting and best practices in napari plugins. + +## install_dependabot + +The default for this prompt is `"n"`. + +If you choose "y" for this prompt, then a [Dependabot](https://docs.github.com/en/code-security/dependabot) configuration file will be created at `.github/dependabot.yml`. + +You will still need to enable Dependabot in your github settings, [see the instructions at this link](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). + + ## license This prompt allows you to choose from a variety of open source licensing options diff --git a/README.md b/README.md index bb23dfb..b08254e 100644 --- a/README.md +++ b/README.md @@ -107,12 +107,6 @@ git commit -m 'initial commit' git push -u origin main ``` -### Enable Dependabot security updates - -You can use [Dependabot](https://docs.github.com/en/code-security/dependabot) security updates to easily update vulnerable dependencies. - -[Here's how to enable Dependabot in your github settings](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). Your Dependabot configuration file is located at `.github/dependabot.yml`. - ### Monitor testing and coverage The repository should already be setup to run your tests each time you push an @@ -221,6 +215,12 @@ pre-commit install You can also have these checks run automatically for you when you push to github by installing [pre-commit ci](https://pre-commit.ci/) on your repository. +## Dependabot + +This template also includes a default yaml configuration for [Dependabot](https://docs.github.com/en/code-security/dependabot). This can help you check for security updates to easily update vulnerable dependencies. + +You will still need to enable Dependabot in your github settings, [see the instructions at this link](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). Your Dependabot configuration file is located at `.github/dependabot.yml`. + ## Features - Installable [PyPI] package From f75e5695237cb1127544ff7805938c2bce457f8f Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 6 Jun 2024 16:14:36 +1000 Subject: [PATCH 6/6] Fix typo --- hooks/post_gen_project.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py index 2eed4b9..218cb18 100644 --- a/hooks/post_gen_project.py +++ b/hooks/post_gen_project.py @@ -35,7 +35,7 @@ def remove_unrequested_plugin_examples(): # remove dependabot config if unrequested {% elif key.startswith("install_dependabot") and value != 'y' %} remove_file(".github/dependabot.yml") - logger.debug("removeing .github/dependabot.yml") + logger.debug("removing .github/dependabot.yml") {% endif %} {% endfor %}