Skip to content

Add Dependabot Integration for Cargo packages #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add Dependabot Integration for Cargo packages #109

wants to merge 1 commit into from

Conversation

ivinjabraham
Copy link
Contributor

@ivinjabraham ivinjabraham commented Feb 26, 2025
edited
Loading

This PR introduces Dependabot to automate dependency updates for patch-hub. Dependabot will check for new versions of dependencies every week and if any are found, it will send a PR to unstable bumping the versions up.

@davidbtadokoro
Copy link
Collaborator

Hey, @ivinjabraham, thanks for yet another PR!

I see that dependabot is a great idea. I even think that somewhere (I don't know if it is when releasing new versions) it keeps warning me about a vulnerability regarding the lack of dependabot.

Nevertheless, I am a little skeptical about this approach as I think it can potentially spam the pull-request tab, as there may be many, many version bumps weekly. I am not vetoing the idea, as we need to do chores like this sooner or later, but I don't feel like this is a priority right now...

In any case, I am going to chew a little bit more on the idea, and I will ping you back. Thanks!

@davidbtadokoro davidbtadokoro mentioned this pull request Mar 5, 2025
Draft
@ivinjabraham
Copy link
Contributor Author

ivinjabraham commented Mar 10, 2025
edited
Loading

Nevertheless, I am a little skeptical about this approach as I think it can potentially spam the pull-request tab, as there may be many, many version bumps weekly.

Ah great point! I now recall having this annoyance in a previous project. It definitely can create a lot of PRs and IIRC it can even cause conflicts in the lock file. Should I change the interval to be monthly or even bimonthly?

davidbtadokoro
davidbtadokoro requested changes Mar 13, 2025
View reviewed changes
Copy link
Collaborator

@davidbtadokoro davidbtadokoro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ivinjabraham, thanks for the answer! I thought about longer and think making it monthly is worth the shot. I also added two simple comments, so see if you can address them.

.github/dependabot.yml Outdated
Comment on lines 9 to 13
groups:
all-dependencies:
applies-to: version-updates
patterns:
- "*"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain why we did this here? It seems that groups isn't obligatory. I imagine you are doing it due to version-updates, which my search pointed out doesn't consider "minor" releases like bug fixes. If I am right, maybe we can make the update unrestricted and see if it works.

.github/dependabot.yml Outdated
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in your comment, lets make it monthly and see how it works out.

@ivinjabraham
ci: add dependabot integration
74a5f6b 
Added a `.github/dependabot.yml` configuration file to enable dependabot
for automatically bumping versions of dependencies when possible. This
helps dependencies stay up to date.

Signed-off-by: Ivin Joel Abraham <ivinjabraham@gmail.com>
@davidbtadokoro
Copy link
Collaborator

Thanks again! Let's give it a shot and see if it works! The only change I made was to limit the PRs to 10 instead of 1 and the commit message from ci: ... to feat: ... (again, all cataloged in the commit message). I think 10 PRs is a lot, but we should deal with this "chaos" to make patch-hub more stable. I also read that Dependabot keeps a queue of the PRs it couldn't open, so making this number small would only delay the inevitable, right?

Change merged into the unstable branch 👍

@ivinjabraham
Copy link
Contributor Author

The only change I made was to limit the PRs to 10 instead of 1 [...] I also read that Dependabot keeps a queue of the PRs it couldn't open, so making this number small would only delay the inevitable, right?

I haven't confirmed this in practice, but from what I read, Dependabot automatically updates an existing PR if a new version for the same crate is detected. And since we're grouping all crates into one PR, then I don't think the PR limit changes anything. That's why I made the change from 10 to 1.

@davidbtadokoro
Copy link
Collaborator

I haven't confirmed this in practice, but from what I read, Dependabot automatically updates an existing PR if a new version for the same crate is detected. And since we're grouping all crates into one PR, then I don't think the PR limit changes anything. That's why I made the change from 10 to 1.

Oh, my bad! I didn't know about this! I will make a PR fixing this. Thanks for the heads-up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidbtadokoro davidbtadokoro davidbtadokoro requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ivinjabraham @davidbtadokoro