Have Dependabot offer submodule updates #1702
Conversation
This extends the current Dependabot configuration so that, in addition to offering updates for GitHub Actions, it also offers them for git submodules (for the gitdb direct submodule).
EliahKagan
force-pushed
the
submodule-dependabot
branch
from
8b5c917
to
7b1c046
Compare
There was a problem hiding this comment.
That's a great catch! I forgot that CI here was testing with an older version of gitdb, and dependabot with this configuration should help discover when these go out of sync.
I also update gitdb by hand now, for good measure, which might have been a mistake as dependabot probably won't trigger now. (let me undo it - done).
directory probably even defaults to 'root' as this is the default location, but if it doesn't work we can always fix it. Let's try :).
|
The status should be shown in the Dependabot tab of the Dependency Graph page. (I can't access that, but I believe it is the correct URL.) |
|
Oh, right, I wasn't aware! Indeed it's already active, maybe it will produce a PR soon. 
|
|
Nice! :) I considered also opening a PR like this in the gitdb repository so that its smmap submodule would be updated automatically. That is updated less often, though, and I'm not sure it would really be worthwhile to do that. If you think it is, I'll open such a PR as well. Edit: I see that Dependabot has successfully created a PR, #1704. (If you comment with |
|
While these repos exist, it's probably worth it (even though |
|
I will do so shortly. Given this, I suggest not yet merging the existing Dependabot PR here (via commands or otherwise). May as well wait for the submodule update from the gitdb PR being merged there. No need to do anything at all on #1704 actually; when Dependabot opens a new one for that same dependency, it will automatically close #1704, though you may need to trigger Dependabot manually to do another scan to see it. |
This makes Dependabot open version update PRs for submodules (which here is just smmap), as well as GitHub Actions. This is like gitpython-developers/GitPython#1702.
|
I've proposed the analogous change to gitdb (for updating the smmap submodule) in gitpython-developers/gitdb#99. |
|
It looks like it doesn't automatically trigger now, probably due to the weekly cadence. I guess it's fair to merge the one open PR now and wait for the next one (as also I can't trigger a scan by hand). |
|
I think it's worth looking into why you can't manually trigger it, before merging #1704. |
|
Sorry, that was too late. It's fine to me as well - maybe I was just overlooking something - turns out I was not seeing the button that at least now is there. Now it's scanning. |
|
It's allowing you to manually trigger the scan now? |
|
Oh, I see. When you said it was too late, you meant you had already merged the first one. I think that's no problem at all, though. |
The cadence for action updates is set to weekly, but I actually set the cadence for submodule updates to monthly, both here and in gitdb. Would you prefer it be weekly? If so, I could open new PRs for that. Editing |
|
Yes, please feel free to change the cadence next time you get to it 🙏 - a PR specifically for that right now isn't necessary though. |
This changes it from monthly to weekly. See gitpython-developers#99 and gitpython-developers/GitPython#1702 (comment) for context.
This sets the Dependabot submodule update cadence from montly to weekly, as requested in: gitpython-developers#1702 (comment) (This change in GitPython corresponds directly to gitpython-developers/gitdb#104 in gitdb.)
|
I've opened #1721 and gitdb#104 to change the cadence of Dependabot submodule updates from monthly to weekly, in this and the gitdb repository, respectively. With recent and proposed changes to gitdb, this seemed like a reasonable time, but for maximum flexibility I've opened them as their own PRs instead of including them in other PRs. |
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [GitPython](https://togithub.com/gitpython-developers/GitPython) | `==3.1.37` -> `==3.1.40` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>gitpython-developers/GitPython (GitPython)</summary> ### [`v3.1.40`](https://togithub.com/gitpython-developers/GitPython/compare/3.1.38...3.1.40) [Compare Source](https://togithub.com/gitpython-developers/GitPython/compare/3.1.38...3.1.40) ### [`v3.1.38`](https://togithub.com/gitpython-developers/GitPython/releases/tag/3.1.38) [Compare Source](https://togithub.com/gitpython-developers/GitPython/compare/3.1.37...3.1.38) #### What's Changed - Add missing assert keywords by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1678 - Make clear every test's status in every CI run by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1679 - Fix new link to license in readme by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1680 - Drop unneeded flake8 suppressions by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1681 - Update instructions and test helpers for git-daemon by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1684 - Fix Git.execute shell use and reporting bugs by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1687 - No longer allow CI to select a prerelease for 3.12 by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1689 - Clarify Git.execute and Popen arguments by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1688 - Ask git where its daemon is and use that by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1697 - Fix bugs affecting exception wrapping in rmtree callback by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1700 - Fix dynamically-set **all** variable by [@​DeflateAwning](https://togithub.com/DeflateAwning) in [gitpython-developers/GitPython#1659 - Fix small [#​1662](https://togithub.com/gitpython-developers/GitPython/issues/1662) regression due to [#​1659](https://togithub.com/gitpython-developers/GitPython/issues/1659) by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1701 - Drop obsolete info on yanking from security policy by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1703 - Have Dependabot offer submodule updates by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1702 - Bump git/ext/gitdb from `49c3178` to `8ec2390` by [@​dependabot](https://togithub.com/dependabot) in [gitpython-developers/GitPython#1704 - Bump git/ext/gitdb from `8ec2390` to `6a22706` by [@​dependabot](https://togithub.com/dependabot) in [gitpython-developers/GitPython#1705 - Update readme for milestone-less releasing by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1707 - Run Cygwin CI workflow commands in login shells by [@​EliahKagan](https://togithub.com/EliahKagan) in [gitpython-developers/GitPython#1709 #### New Contributors - [@​DeflateAwning](https://togithub.com/DeflateAwning) made their first contribution in [gitpython-developers/GitPython#1659 **Full Changelog**: gitpython-developers/GitPython@3.1.37...3.1.38 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/allenporter/flux-local). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
This extends the current Dependabot configuration so that, in addition to offering updates for GitHub Actions, it also offers them for git submodules (for the gitdb direct submodule).
This is to make updating the gitdb submodule more convenient, as well as making the its intended status relative to the head of gitdb clearer:
It is really that expressiveness that I regard to be the major benefit here: people can always check to see whether GitPython's submodule being behind the gitdb remote repository is intentional.
However, automatically creating PRs when situations like the one described in #1659 (comment) happen is also a benefit, and that is what gave me the idea to propose this. (For that in particular, I suggest updating the submodule separately from, and prior to, making new releases of either package or synchronizing dependency versions, to facilitate testing of the change, since the automated tests currently use the submodule version. If this PR is merged, then the resulting Dependabot PR for the update can also be merged.)
(There is a further benefits of using Dependabot for this: the Dependabot commands. Rebasing onto main can be done with
@dependabot rebase, and merging after waiting for all CI checks pass can be done with@dependabot mergeor, if no separate merge commit is desired,@dependabot squash and merge.)Please note that my intention is not to prolong the GitPython repository's nontrivial use of submodules any longer than it would have been. I believe this change would not entrench that, because it is easy to revert or otherwise undo when no longer needed.
Although the actual gitdb submodule is located in
git/ext/gitdb, I think specifying"/"as the directory independabot.ymlis correct, because except where otherwise documented, Dependabot treatsdirectoryas the location of manifest files, which I believe it considers.gitmodulesto be, for submodules, rather than the submodule itself.