Open Rotzbua opened 6 months ago
Gallaecio
commented
6 months ago I’m not sure we need dependabot. It feels like it only makes sense for projects (i.e. with requirements.txt), not libraries meant to work with multiple versions of libraries (even vulnerable ones).
FriedrichFroebel
commented
6 months ago This depends on how you want to use it. This issue primarily seems to be about automated updates for GitHub Actions, which is completely independent from Python package updates (although both use the dependabot approach).
Regarding Python packages: There are multiple approaches to this and no clearly defined way. For example: Use a dedicated requirements file which pins all versions to the latest versions known to work with the latest Python version supported. Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.
Gallaecio
commented
6 months ago This issue primarily seems to be about automated updates for GitHub Actions.
Interesting.
Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.
Very interesting. On very active projects it might not be that useful, but in projects that are actively maintained but get no new features often like this one, this sounds quite useful.
Although I wonder if it would not be too noisy, creating a PR every time a dependency releases a new version.
Problem
The GH actions workflows seem outdated.
Solution
Dependabot can provide PRs.
Recommendation
Because dependabot can be really annoying I recommend: