github: Add dependabot configuration #81812
Conversation
There was a problem hiding this comment.
Thanks for finally sending the PR I kept delaying forever :)
I had done it slightly differently for the sake of having slightly better PR titles with proper prefixes based on the area. Can't recall why I didn't put any label (it might be that the dependabot "user" doesn't have permission to set them? Really don't remember, sorry) but that would be a nice addition too?
6b14bea
Yep but it is useful for GH actions nevertheless, as this can let us know when to bump the not-fully-locked-but-still-somewhat-pinned versions. |
I like yours better! The default dependabot labels aren't really useful so we should let zephyr bot do that part. EDIT: we should however |
Yes, we can simply set fixed versions in the requirements files. This would increase reproducibility and prevent packages break our users' environments. |
Fixed version would also likely introduce version incompatibles with other requirements (e.g. for downstream tooling). It also means more work on maintaining release branches, ensuring dependencies are updated in all active branches as well. We have discussed this in the past and opted not to lock on versions unless really needed. |
How about something like lock files? Having a pretty lose description of minimum versions, but then adding a refreshed lock file on each release? People can still ignore/update it, but one would be able to restore a "same-versions-as-back-then" Zephyr build environment many years in the future. |
Inserting a shameless plug to my $ pip-compile -q --no-annotate --no-header -o - $(west packages pip)
anytree==2.12.1
appdirs==1.4.4
arrow==1.2.3
astroid==3.3.5
canopen==2.3.0
capstone==4.0.2
cbor==1.0.0
cbor2==5.6.5
certifi==2024.8.30
cffi==1.17.1
charset-normalizer==3.4.0
clang-format==19.1.4
click==8.1.3
cmsis-pack-manager==0.5.3
colorama==0.4.6
colorlog==6.9.0
coverage==7.6.8
cryptography==43.0.3
deprecated==1.2.15
dill==0.3.9
docopt==0.6.2
gcovr==8.2
gitdb==4.0.11
gitlint==0.19.1
gitlint-core[trusted-deps]==0.19.1
gitpython==3.1.43
graphviz==0.20.3
grpcio==1.68.0
grpcio-tools==1.68.0
idna==3.10
imgtool==2.1.0
importlib-metadata==8.5.0
importlib-resources==6.4.5
iniconfig==2.0.0
intelhex==2.3.0
intervaltree==3.1.0
isort==5.13.2
jinja2==3.1.4
junit2html==31.0.2
junitparser==3.2.0
lark==1.2.2
libusb-package==1.0.26.1
lpc-checksum==3.0.0
lxml==5.3.0
markupsafe==3.0.2
mccabe==0.7.0
mock==5.1.0
msgpack==1.0.8
mypy==1.13.0
mypy-extensions==1.0.0
natsort==8.4.0
packaging==24.2
pathspec==0.12.1
patool==3.1.0
pillow==11.0.0
platformdirs==4.3.6
pluggy==1.5.0
ply==3.11
polib==1.2.0
prettytable==3.12.0
progress==1.6
protobuf==5.28.3
psutil==6.1.0
pycparser==2.22
pyelftools==0.31
pygithub==2.5.0
pygments==2.18.0
pyjwt[crypto]==2.10.0
pykwalify==1.8.0
pylink-square==1.3.0
pylint==3.3.1
pynacl==1.5.0
pyocd==0.36.0
pyserial==3.5
pytest==8.3.3
python-can==4.4.2
python-dateutil==2.9.0.post0
python-magic==0.4.27
pyusb==1.2.1
pyyaml==6.0.2
regex==2024.11.6
requests==2.32.3
ruamel-yaml==0.18.6
ruamel-yaml-clib==0.2.12
ruff==0.8.0
semver==3.0.2
sh==1.14.3
six==1.16.0
smmap==5.0.1
sortedcontainers==2.4.0
sphinx-lint==1.0.0
tabulate==0.9.0
tomlkit==0.13.2
typing-extensions==4.12.2
unidiff==0.7.5
urllib3==2.2.3
wcwidth==0.2.13
west==1.3.0
wrapt==1.17.0
yamllint==1.35.1
zcbor==0.9.1
zipp==3.21.0
# The following packages are considered to be unsafe in a requirements file:
# setuptools |
|
A warning however: Dependabot does not really understand dependencies and/or take them into account. It will happily create PRs for each found vulnerability, bump its version but ignore whether this new version can be used at all along with the other dependencies. Example:
Source: https://github.com/rettichschnidi/wakaama/pulls?q=is%3Apr+author%3Aapp%2Fdependabot+ (as of today) This seems so obviously bad that I still do not fully believe this to be the best it can do. Despite having GH representative confirming this behavior on a call that happened two days ago. It might be less of a problem when not fully locking down (i.e. including hashes) all dependencies (including transitive ones), have not tried that yet. Also, not tried the group feature yet. |
Add a GH dependabot configuration to check for updates for github actions and pip dependencies once a week. Signed-off-by: Pieter De Gendt <[email protected]> Co-authored-by: Benjamin Cabé <[email protected]>
|
Perhaps it's sufficient to upload the versions used during CI as an artifact or something? |
Add a GH dependabot configuration to check for updates for github actions and pip dependencies once a week.