Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Document how to handle Dependabot pull requests. #14916

Merged
merged 1 commit into from
Jan 25, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/14916.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Document how to handle Dependabot pull requests.
14 changes: 14 additions & 0 deletions docs/development/dependencies.md
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,20 @@ because [`build`](https://github.com/pypa/build) is a standardish tool which
doesn't require poetry. (It's what we use in CI too). However, you could try
`poetry build` too.

## ...handle a Dependabot pull request?

Synapse uses Dependabot to keep the `poetry.lock` file up-to-date. When it
creates a pull request a GitHub Action will run to automatically create a changelog
file. Ensure that:

* the lockfile changes look reasonable;
* the upstream changelog file (linked in the description) doesn't include any
breaking changes;
* continuous integration passes (due to permissions, the GitHub Actions run on
the changelog commit will fail, look at the initial commit of the pull request);

In particular, any updates to the type hints (usually packages which start with `types-`)
should be safe to merge if linting passes.

# Troubleshooting

Expand Down