Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve dependabot experience #1823

Closed
legoktm opened this issue Feb 12, 2024 · 3 comments · Fixed by #2018
Closed

Improve dependabot experience #1823

legoktm opened this issue Feb 12, 2024 · 3 comments · Fixed by #2018
Labels
⚙️ Tooling Improving maintainability and increasing maintainer joy : )

Comments

@legoktm
Copy link
Member

legoktm commented Feb 12, 2024

Currently dependabot opens a PR for each individual package in each component, creating a giant spam of updates that is IMO unmanagable.

I'll at least start with grouped updates since that's officially supported and will cut down on the package spam.
legoktm added a commit that referenced this issue Feb 12, 2024
@legoktm
Group dependabot updates
2a7e162 
To cut down on the number of PRs opened, have dependabot group all
the updates for a component in a single pull request.

Refs #1823.
@legoktm legoktm mentioned this issue Feb 12, 2024
Merged
1 task
@rocodes
Copy link
Contributor

rocodes commented Feb 13, 2024
edited

I like your first idea (about the one lock file, and multiple groups), but mostly feel extremely appreciative that you are taking this on in any form.
I think any solution that a) allows for as few duplicated PRs/updates as possible and b) encourages us to keep our dependency versions consistent across components at the repo level (as opposed to hiding that complexity by tweaking the github/PR behaviour) would be my preferences, but anything is an improvement, #1824 definitely is :)

@rocodes rocodes added the ⚙️ Tooling Improving maintainability and increasing maintainer joy : ) label Feb 13, 2024
@legoktm legoktm mentioned this issue Feb 13, 2024
Merged
1 task
@legoktm
Copy link
Member Author

legoktm commented Mar 4, 2024

We're currently stalled on applying most dependabot updates because the new semgrep version requires a new major version of urllib3, which it bumps despite it also being a prod dependency. I can't find any knobs in dependabot to prevent this case from happening (aside from excluding semgrep entirely), so either we back out the semgrep update or just keep waiting until the proxy v2 stuff lands, which has the nice side effect of removing urllib3/requests from prod dependencies.

legoktm added a commit that referenced this issue May 20, 2024
@legoktm
Consolidate pip dependabot updates into a single PR
87c09f9 
See <https://github.blog/changelog/2024-04-29-dependabot-multi-directory-configuration-public-beta-now-available/>.

Fixes #1823.
@legoktm legoktm mentioned this issue May 20, 2024
Merged
1 task
@legoktm
Copy link
Member Author

legoktm commented May 20, 2024

This is now available so I've opened #2018. We've also landed proxy v2 so the previous issue with dev deps bringing in prod updates is less likely to happen. As such, I've marked #2018 to close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
⚙️ Tooling Improving maintainability and increasing maintainer joy : )
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Consolidate pip dependabot updates into a single PR freedomofpress/securedrop-client
2 participants
@legoktm @rocodes