chore: Add Dependabot for depenency updates #27717
Conversation
|
Maybe the python part should be skipped, as I see there is something else with https://github.com/web-platform-tests/wpt/blob/master/.pyup.yml that may already do that part |
|
I believe there was a reason we chose not to use dependabot, but I've forgotten what it was. @gsnedders ? |
|
It may be worth keeping the |
Being able to restrict the versions it updates to; like how we have |
|
Yeah, it looks like their filtering is different, and might not support that syntax https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore Should I drop the PIP part, but keep the NPM and Actions? |
|
Skipping PIP for now sounds good. Even if we want to do it, it's good to do it separately so it's easier to revert just that if it turns out to not work well. |
nschonni
force-pushed
the
add-dependabot
branch
from
1bd1480
to
07e1b2f
Compare
|
OK, rebased out the PIP part, and left in the GitHub Actions + NPM updating |
nschonni
force-pushed
the
add-dependabot
branch
from
07e1b2f
to
a06ffcc
Compare
nschonni
force-pushed
the
add-dependabot
branch
from
a06ffcc
to
abe7a4c
Compare
|
So if the concern with dependabot was Python-version-specific pinning, I think we could switch to that now that we're on Py3? |
|
It that was the only issue, then having a single dependency bumper would be great! |
|
let me know if you want to add back Python and/or drop pyup here, or if it's better for you folks to do that in a separate PR |
|
I'll defer to @jgraham on that. |
|
So it looks like Dependabot will also send updates to forks: https://github.com/autofoolip/wpt/pulls. Judging by dependabot/dependabot-core#2804 it might not affect all forks. Has anyone else gotten a bunch of PRs? |
Skip double building for branches since the updates get submitted as PRs