Skip to content

Updated Dependabot to look at GHA, Pants Python, and NPM deps #22771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sureshjoshi merged 7 commits into from
Oct 24, 2025
Merged

Updated Dependabot to look at GHA, Pants Python, and NPM deps #22771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ca30f69
Attempting to get Dependabot looking at the Pants Python deps
sureshjoshi Oct 21, 2025
b448bb6
Attempting to see if this runs in my fork
sureshjoshi Oct 22, 2025
3b2e4a1
Trying to reduce PR noise, while increasing PR value
sureshjoshi Oct 22, 2025
0bc6e3b
Adding npm to the mix
sureshjoshi Oct 22, 2025
4ae5972
Transitive deps might be a bit much
sureshjoshi Oct 22, 2025
59a6c18
Merge branch 'pantsbuild:main' into dependabot-3rd-party
sureshjoshi Oct 22, 2025
960d140
Merge branch 'pantsbuild:main' into dependabot-3rd-party
sureshjoshi Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 73 additions & 7 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,86 @@
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference

version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
groups:
gha-deps:
patterns:
- "*"

- package-ecosystem: "cargo"
directory: "/src/rust"
open-pull-requests-limit: 5
rebase-strategy: auto
groups:
rust-security-updates:
Copy link
Copy Markdown
Member Author

@sureshjoshi sureshjoshi Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hypothetically, this should create 2 PRs - one for security updates (important, but less invasive) - while the generic version updates are more informational and can be skipped or ignored.

Right now, it's just batching everything into version updates

applies-to: security-updates
patterns:
- "*"
update-types:
- "minor"
- "patch"
rust-version-updates:
applies-to: version-updates
patterns:
- "*"
labels:
- "category:internal"
schedule:
interval: "weekly"
day: "wednesday"
time: "03:00"
timezone: "US/Pacific"
Copy link
Copy Markdown
Member Author

@sureshjoshi sureshjoshi Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessarily specific - implies there is currently a reason for precisely this, which isn't the case at the moment.

- "dependencies"
- "release-notes:not-required"
reviewers:
Copy link
Copy Markdown
Member Author

@sureshjoshi sureshjoshi Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only have default reviewers for Rust, as I don't want to hammer everyone with updates

- benjyw
- cburroughs
- huonw
- sureshjoshi
- tdyas
- tgolsson
schedule:
interval: "weekly"

- package-ecosystem: pip
directory: "/3rdparty/python"
groups:
python-security-updates:
applies-to: security-updates
Copy link
Copy Markdown
Contributor

@cburroughs cburroughs Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this do? Is it intended to just be things with an CVE? (The screenshot looked like a wider net)

Copy link
Copy Markdown
Member Author

@sureshjoshi sureshjoshi Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, so, what I'm trying to get setup is to split out security-only updates from general version updates. So far, it doesn't seem to be working - but that might be a result of issues being so out of date that any security update is necessarily a version update - and it gets captured there. I won't really know until this lands and we watch it for a few iterations to see how it plays out over time.

Copy link
Copy Markdown
Member Author

@sureshjoshi sureshjoshi Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spirit being, security updates are more urgent, generally fewer breaking changes, and overall quicker to land

patterns:
- "*"
update-types:
- "minor"
- "patch"
python-version-updates:
applies-to: version-updates
patterns:
- "*"
labels:
- "category:internal"
- "dependencies"
- "release-notes:not-required"
schedule:
interval: weekly

- package-ecosystem: "npm"
directories:
- "build-support/**/*"
- "src/python/pants/backend/javascript/**/*"
- "src/python/pants/backend/typescript/**/*"
- "testprojects/src/js/**/*"
groups:
js-security-updates:
applies-to: security-updates
patterns:
- "*"
update-types:
- "minor"
- "patch"
js-version-updates:
applies-to: version-updates
patterns:
- "*"
labels:
- "category:internal"
- "dependencies"
- "release-notes:not-required"
schedule:
interval: "weekly"
4 changes: 2 additions & 2 deletions pants
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@

# This bootstrap script runs pants from the live sources in this repo.
#
# The script defaults to running with either Python 3.7 or Python 3.8. To use another Python version,
# prefix the script with `PY=python3.8`.
# The script defaults to running with Python 3.11. To use another Python version,
# prefix the script with `PY=python3.14`.

set -eo pipefail

Expand Down
Loading