Skip to content

Dependabot: Include all action updates in one PR #3602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Dependabot: Include all action updates in one PR #3602

wants to merge 2 commits into from

Conversation

@krzywon
Copy link
Contributor

@krzywon krzywon commented Sep 19, 2025

Description

This bundles all github action updates, made by Dependabot, into a single PR. This will ensure we aren't in a situation where a series of major updates that depend on one another aren't pushed into different PRs, each of which is failing, without knowing if they will work together well (see #3588, #3589, #3590, #3591, and #3592 as an example).

Review Checklist:

Licensing (untick if necessary)

  • The introduced changes comply with SasView license (BSD 3-Clause)

@krzywon
Include a group for the dependabot github action updates to ensure al…
ea8faf8 
…l actions are added to a single PR to ensure tied actions are updated as a group.
@llimeht
Copy link
Contributor

llimeht commented Sep 20, 2025
edited
Loading

CI failure appears unrelated but need urgent attention separately... See #3603.

@butlerpd
Copy link
Member

butlerpd commented Oct 21, 2025

Without @krzywon we are holding for now. At one point we discussed desabling dependabot PRs. Does anybody have a thought on this PR?

@backmari
Copy link
Contributor

backmari commented Nov 11, 2025

I think this is the related discussion about possibly disabling dependabot: https://github.com/orgs/SasView/discussions/3245#discussioncomment-13756949
As mentioned in the comment, once the release is out, dependabot will allow us to keep up to date with dependencies (also for things like GitHub actions versions).
While we still have dependabot, grouping dependabot changes into one PR looks like a good change to me 👍

@llimeht
Copy link
Contributor

llimeht commented Nov 12, 2025

Dependabot managing upgrades to the actions makes sense to me. Grouping them together is definitely worthwhile. Letting the bot deal with conflicts is better than having humans deal with them (so its changes should go in after other PRs that are making changes to CI; not sure how ugly #3653 will be to rebase)

Having dependabot ignore build_tools/requirements-release-*.txt except for security issues seems necessary. These files shouldn't exist (or at least, should have no content) in the main branch at all as they are not needed in main, and if they are full of old pins from the last release, when the release-foo branch is created they will point to the wrong versions of the packages. We can address this last point with #3743, after which dependabot will focus on the actions only.

@krzywon
Copy link
Contributor Author

krzywon commented Nov 14, 2025

Dependabot is only enabled for GitHub actions we use in our CI. The requirements files should not be checked. I don't see any reason to remove them, but there is also no reason to keep them.

This PR is to prevent instances where actions we are using are all upgraded, simultaneously, and each, individually, might cause breaking changes that aren't caught when building on their own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@krzywon @llimeht @butlerpd @backmari