Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto merge Dependabot updates #2868

Closed

Conversation

Andrew-Chen-Wang
Copy link
Contributor

@Andrew-Chen-Wang Andrew-Chen-Wang commented Oct 1, 2020

Description

Fixes #2852 Adds auto-merging pip updates to this repository using dependabot to alleviate @browniebroke 's workload.

Rationale

Make updating this repository less stressful. You can view the test repository here: https://github.com/Andrew-Chen-Wang/test-dependabot-automerge You can see that, when one update happens, the rest of the PRs close and are superseded with a new PR, as shown here: Andrew-Chen-Wang/test-dependabot-automerge#3 (comment)

This also means we don't need pyup anymore, especially since dependabot covers everything pyup does and auto merges and rebases in case of new updates to the PR.


Note: when GitHub acquired dependabot, they disabled the auto merge feature natively for security reasons, so that's why I had to create the GitHub action. I took the GitHub action from a Medium post, but I just can't find the blog anymore......

AH! Here it is: https://medium.com/@toufik.airane/automerge-github-dependabot-alerts-with-github-actions-7cd6f5763750

@browniebroke
Copy link
Member

Very nice! I think we should be careful with this one. A few questions I have:

  • What happens if the build doesn't pass? From a quick look, it doesn't seem to check the build status...
  • Did you check that Dependabot supports having Jinja markup in requirements files?
    In latest version of your example repo, Django is updated in production, but not in local.
    The difference between the 2 files is that local has some Jinja markup for a conditional. I think that's of the main thing preventing up from replacing pyup by Dependabot. It's well supported by pyup.
  • Another neat feature from pyup is the ability to "filter" updates, that we use often, and currently for Celery, we can say != 4.4.7 for example. Celery 4.4.7 is a bit broken currently, and we don't want to update to it, but the Celery bug isn't something that breaks our build, so an upgrade would be automerged, and if we downgrade, it would be re-updated again...

I think we can't switch to Dependanbot yet, but if we can get the build status checked before merging, that would work with pyup changes.

@Andrew-Chen-Wang
Copy link
Contributor Author

Interesting, didn't notice it failed with the Jinja2 templating; I probably got too tired, sorry about that.

I can rework the GitHub to auto merge pyup instead by changing the actor. If you don't mind, for the CI check, I'd like to use: https://github.com/WyriHaximus/github-action-wait-for-status for checking the status. The merge step in this case will use an if the status is successful and if not, the merge will not happen.

@browniebroke
Copy link
Member

Yea, I think it makes sense to delegate this check 👍

sorry about that.

Don't apologize for a small mistake! This is some great work! 💪

@Andrew-Chen-Wang
Copy link
Contributor Author

Superseded by #2872

@Andrew-Chen-Wang Andrew-Chen-Wang deleted the dependabot branch November 4, 2020 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Github action to auto merge dependabot and pyup security updates if all tests pass.
2 participants