Dependency management #2594
Comments
|
Thanks for this! I'd like to try #2592 first. |
|
FWIW having a weekly Action with That also makes it easy to sneak in other automated fixes, e.g. running the (maybe-newly-updated) autoformatters and committing that too, updating vendored data files, etc. We even have a script that writes the changelog entry 😁 |
|
Thanks! It looks like we will eventually be moving that direction. We are hung up on how to automatically merge the PRs at the moment, but it looks like you are using the automatic github token. Did you find a way to run CI on those PRs or do you simply click each one? |
|
CI runs automatically, since it's a tightly-scoped personal access token from my account, and then I (or another maintainer) review and click "merge" on each one. |
|
I think this should stay open since #2592 is cludgey, and we don't close this until the mentioned machine account or similar is added. |
The current setup of dependabot is intensively manual and has some negative interactions with pip-tools. I've created 2 PRs with opposite solutions to this problem: #2593 maxes out dependabot usage and automates the PR merges, but sacrifices the precise output of pip-compile, whereas #2592 drops dependabot entirely and does a periodic (and also manually triggerable) pip-compile bump.
Personally I would favor dropping dependabot mainly because of the fewer commits, but I recognize that monthly mass updates are marginally more likely to have difficult-to-diagnose breakage from bad interactions.
The text was updated successfully, but these errors were encountered: