Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support bumping dependencies in .pre-commit-config.yml #2040

Open
sloria opened this issue Feb 2, 2020 · 11 comments
Open

Support bumping dependencies in .pre-commit-config.yml #2040

sloria opened this issue Feb 2, 2020 · 11 comments
Labels
core 🍏 Relates to the dependabot-core library itself F: pull-requests Issues about Dependabot pull requests Keep Exempt this from being marked by stalebot T: feature-request Requests for new features versioning

Comments

@sloria
Copy link

sloria commented Feb 2, 2020

pre-commit is a popular tool for managing git hooks. It has a YAML based config that allows specifying hook-specific dependencies, like so.

When one of these dependencies gets updated in the setup.py for my repositories, I currently have to manually update the version in .pre-commit-config.yml: marshmallow-code/marshmallow-jsonapi#286

It would be great if Dependabot could automate these updates.

@hugovk
Copy link

hugovk commented May 17, 2020

Duplicate of #1524.

@infin8x infin8x transferred this issue from dependabot/feedback Jun 29, 2020
@sfdye
Copy link

sfdye commented Jul 19, 2020

Shall we merge with #1524 to track in one issue?

@sloria
Copy link
Author

sloria commented Jul 20, 2020

This issue isn't exactly the same as #1524. I'm proposing that additional_dependencies within .pre-commit-config.yaml (like here get updated just as setup.py and requirements.txt do, whereas #1524 is proposing that the actual pre-commit hook versions get updated.

@BeyondEvil
Copy link

Any news on this?

@lafrech
Copy link

lafrech commented Oct 29, 2021

Just found this GH action. Could be a workaround.

https://github.com/marketplace/actions/pre-commit-autoupdate

I haven't tested yet.

@scop
Copy link

scop commented Oct 29, 2021

https://github.com/marketplace/actions/pre-commit-autoupdate
A Github action to run pre-commit autoupdate

That does not touch additional_dependencies.

@scop
Copy link

scop commented Oct 29, 2021

FWIW with some "creative" .pre-commit-config.yaml formatting, Renovate can be tricked into doing this. I'm seeing success with that setup in a few projects, here's one example:

https://github.com/scop/hashpipe/blob/eb11f6c676803aeed04181c786e7a1750f882371/.pre-commit-config.yaml
https://github.com/scop/hashpipe/blob/eb11f6c676803aeed04181c786e7a1750f882371/renovate.json

@jurre jurre added F: pull-requests Issues about Dependabot pull requests T: feature-request Requests for new features service 💁 Relates to Dependabot features GitHub provides core 🍏 Relates to the dependabot-core library itself and removed service 💁 Relates to Dependabot features GitHub provides labels Nov 26, 2021
@chopeen
Copy link

chopeen commented Oct 31, 2022

You can also configure a custom regex manager - renovatebot/renovate#10055 (comment).

@ddelange
Copy link

ddelange commented Nov 12, 2023

This issue isn't exactly the same as #1524. I'm proposing that additional_dependencies within .pre-commit-config.yaml (like here get updated just as setup.py and requirements.txt do, whereas #1524 is proposing that the actual pre-commit hook versions get updated.

this requires dependency resolution, within the additional_dependencies, and ideally including the dependencies of the hook itself.

pip recently introduced a --dry-run --report functionality for such use-cases. I'm already happily using it in pipgrip (ddelange/pipgrip#113) and it would probably be your go-to for this issue as well.

@ddelange
Copy link

ddelange commented Nov 12, 2023

this was rejected upstream by the way due to various blockers: pre-commit/pre-commit#1351 (comment)

you could implement it such that this new mechanic only kicks in if:

  • all strings in the additional_dependencies field are in format pkg==version.
  • it's a python based pre-commit hook.
    • you could verify this is checking whether all URLs in format https://pypi.org/project/<pkg>/<version>/ for the additional_dependencies redirect to a 200 status code.
    • there is probably a more robust way to verify this. something like inspecting the language key in the particular hook id in the hook repo's .pre-commit-hooks.yaml file.

@carez
Copy link

carez commented Nov 13, 2023

My workaround is to install the packages using requirements-dev.txt (which is maintained by dependabot) and then run pre-commit local hooks like this:

$ cat .pre-commit-config.yaml 
repos:
-   repo: local
    hooks:
    -   id: black
        name: black
        entry: black
        language: system
        types_or: [python, pyi]
        require_serial: true
    -   id: flake8
        name: flake8
        entry: flake8
        language: system
        types: [python]
        require_serial: true
    -   id: mypy
        name: mypy
        entry: mypy
        args: ["--ignore-missing-imports", "--scripts-are-modules"]
        language: system
        types_or: [python, pyi]
        require_serial: true
    -   id: isort
        name: isort
        entry: isort
        args: ["--profile", "black"]
        language: system
        types_or: [cython, pyi, python]
        require_serial: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core 🍏 Relates to the dependabot-core library itself F: pull-requests Issues about Dependabot pull requests Keep Exempt this from being marked by stalebot T: feature-request Requests for new features versioning
Projects
Status: Planned
Development

No branches or pull requests