Figure out why major label was added to dependabot created PR

[yarikoptic]

#164 had internal and major labels, which I have missed and thus merging/releasing resulted in 1.0.0 release of datalad-installer. Not a biggie, I think we are fine with 1.0.0 release (finally), but it is not clear why "major" was added since https://github.com/datalad/datalad-installer/blob/master/.github/dependabot.yml#L10 has only internal.

[jwodder]

This happened because, whenever Dependabot creates a PR for a major version update (e.g., v3 to v4), if the repository the PR is created in has a "major" label defined, the label will be applied to the PR regardless of what's in dependabot.yml, and likewise for minor and patch version updates. I don't think this is mentioned in Dependabot's documentation, but there's an open issue to give Dependabot the option to not do this.

I recommend addressing this by reconfiguring auto to use labels that aren't named "major", "minor", and "patch"; for an example configuration, see auto's last used configuration in datalad/datalad. Once .autorc is updated, the labels in the repository will have to be renamed manually; I think that running auto create-labels would just create new labels rather than renaming, so don't do that. (I wrote https://github.com/jwodder/labelmaker over my break which could be of use here.)

(An alternative approach would be to create a GitHub Actions workflow that automatically relabels Dependabot PRs, but that seems too much like a bandaid.)

auto will also have to be reconfigured on all other repositories that use both auto and Dependabot; the following script will list them:

#!/usr/bin/env python3
# /// script
# requires-python = ">=3.8"
# dependencies = ["ghreq ~= 0.1", "ghtoken ~= 0.1"]
# ///

from __future__ import annotations
from collections.abc import Iterator
import ghreq
from ghtoken import get_ghtoken

OWNERS = ["con", "dandi", "datalad"]


class Client(ghreq.Client):
    def get_repos_for_owner(self, owner: str) -> Iterator[dict]:
        return self.paginate(f"/users/{owner}/repos")

    def has_file(self, repo_url: str, path: str) -> bool:
        try:
            self.request("HEAD", f"{repo_url}/contents/{path}", raw=True)
        except ghreq.PrettyHTTPError as e:
            if e.response.status_code == 404:
                return False
            else:
                raise e
        else:
            return True


with Client(token=get_ghtoken()) as client:
    for owner in OWNERS:
        for r in client.get_repos_for_owner(owner):
            if r["archived"] or r["fork"]:
                continue
            if client.has_file(r["url"], ".autorc") and client.has_file(
                r["url"], ".github/dependabot.yml"
            ):
                print(r["full_name"])

You may also want to create an issue in auto's repository about this; there doesn't seem to be one there already.

[jwodder]

I just realized there's another category of our repositories that use both "major" labels and Dependabot: those that use datalad/release-action with labels named "major" etc. The only such repository seems to be https://github.com/datalad/datalad-container. (datalad/release-action itself also uses "major" labels, but it doesn't use Dependabot.)

[yarikoptic]

ideally it should be IMHO addressed on dependabot, but given that that issue is from Apr 9, 2021 and not yet resolved, I wonder if it would ever be. Indeed then we are doomed to switch everywhere (auto or datalad/release-action driven projects) to use e.g. semver- prefixed labels.

You may also want to create an issue in auto's repository about this; there doesn't seem to be one there already.

would you be kind to do so?

[jwodder]

@yarikoptic Issue created: intuit/auto#2412