-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop dependabot in favor of automated pip-tools #2592
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #2592 +/- ##
=======================================
Coverage 92.45% 92.45%
=======================================
Files 118 118
Lines 16342 16342
Branches 3155 3155
=======================================
Hits 15109 15109
Misses 1104 1104
Partials 129 129
|
One subtle quirk of this is that we have to manually delete branches after they've been merged. |
otherwise this workflow would fail in the rare case that no dependencies update within a month
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm ok with this, but just to confirm: when a PR fails to automerge, if we don't merge it that day (? I can't read cron, I presume this runs once daily?) CI will remake it?
It's once a month (best webtool ever). The branch name is distinguished by the base commit SHA so if it so happens that the automerge fails AND no other commits are pushed over the month, then the PR branch will be overwritten by force-push. Otherwise, the bot will make a new branch and PR. |
Once a month sounds reasonable! Alright then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks alright to me! I'd like one other person skim through this before they press merge but I think this will work nicely.
I am excited about getting rid of dependabot spam! I think that we'll need to switch to using a personal access token to create the PR, because otherwise Github will refuse to run CI on the PR: peter-evans/create-pull-request#48
I just flipped this setting on, which I think should take care of it? |
I think I did know this at some point... can you help me make that token? I think it requires admin access
Nice! |
I found this just now and it seems useful; here's a list of what we could do: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs Choice options:
|
Hi! Just coming back here to bump this PR again. I wouldn't mind having to close/reopen our automated PRs if necessary, if we can't decide on what to do. |
Right, you can merge it today and it should work just like that. In the future, someone with admin privileges can create an appropriately scoped personal token as in #2594 (comment) and simply make a PR to change the |
Unfortunately, I think if we put a PAT in as a secret on this repo, then
that can be trivially extracted by anyone with commit privileges and then
used to impersonate the original person, right?
…On Tue, Apr 4, 2023, 16:06 richardsheridan ***@***.***> wrote:
Right, you can merge it today and it should work just like that. In the
future, someone with admin privileges can create an appropriately scoped
personal token as in #2594 (comment)
<#2594 (comment)>
and simply make a PR to change the GH_TOKEN argument in the workflow to
point to it and it should become fully automatic.
—
Reply to this email directly, view it on GitHub
<#2592 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEU42CIUODD44PYP6ID5TDW7SSOFANCNFSM6AAAAAAVQHWMAY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I haven't wrapped my head around how secrets function in GitHub Actions (yet) but that certainly sounds right. I'd suggest some sort of machine account? The account making the PRs needs no permissions at all, after all. It could always make a PR from a fork (though that would complicate things). I'll merge this now (assuming no immediate "no"s) cause there's a fix no matter how cludgey and we can figure out how to do this at a future point. |
Closes #2594.