chore: add Dependabot for GitHub Actions and pip dependencies
#32
Conversation
| - package-ecosystem: "github-actions" | ||
| directory: / | ||
| groups: | ||
| github-actions: | ||
| patterns: | ||
| - "*" # Group all Actions updates into a single larger pull request | ||
| schedule: | ||
| interval: monthly | ||
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: monthly |
There was a problem hiding this comment.
While I've kept the update schedule as "monthly" here, I would suggest that we keep it to a "weekly" basis, as I'll be much faster than Dependabot and will render it useless :P
I think my use case here is about PRs serving as reminders, rather than as updates. But, I can also configure these PRs to get auto-merged if CI passes.
There was a problem hiding this comment.
I think monthly would be OK.
In my experience, dependabot generates a lot of unwanted notifications, and they are usually not that security critical... in our case we're running a static site, so there are no big security concerns.
As for auto-merge, better not. It makes more sense to auto-merge then check if the page is loading as expected.
There was a problem hiding this comment.
I think monthly would be OK.
In my experience, dependabot generates a lot of unwanted notifications, and they are usually not that security critical... in our case we're running a static site, so there are no big security concerns.
Yes, I agree. At the current release frequency for JupyterLite and jupyterlite-pyodide-kernel releases, we should be fine with monthly updates.
As for auto-merge, better not. It makes more sense to auto-merge then check if the page is loading as expected.
I agree with this as well.
|
Thanks for the review! |
|
Dependabot ran two workflows for |
Description
This PR closes #31. I've configured Dependabot to update the GitHub Actions dependencies. I'm usually opposed to Dependabot updating
pip-dependencies, but I think that would be fine here because #26 removed the rest of the dependencies and placed them in inline scripts, so we have just two dependencies: JupyterLite, and the Pyodide kernel.Important
Dependabot would need to be enabled through the https://github.com/sympy/live/network/updates page by someone with administrator permissions for this repository before it starts checking for automated updates.