ci: Automatically update GitHub Actions #497
Conversation
DimitriPapadopoulos
force-pushed
the
actions
branch
from
ba233a6
to
b464915
Compare
|
The linter issue seems unrelated. Perhaps an internal CI bug? |
|
I try to keep this repo minimal for easier maintenance, and easier onboarding for new contributors. I'm not sure this change has a big benefit, given that yamllint only has 2 dependencies ( (I apologize if I misunderstood the purpose of this pull request, if this is the case could you explain the goal of it in the commit message?) |
|
It just updates GitHub actions, not Python dependencies. Like #493, but it automates the creation of the merge request. |
DimitriPapadopoulos
force-pushed
the
actions
branch
from
b464915
to
a1627cc
Compare
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" |
There was a problem hiding this comment.
None of the strings in this YAML document need to be quoted 🙂
There was a problem hiding this comment.
I know, but they are always quoted in the reference documentation Configuration options for the dependabot.yml file, as well as other occurrences of .github/dependabot.yml.
I choose to stick to what is done elsewhere, rather than minimising the YAML file contents.
|
I don't see this PR-opening automation as something very useful nor as a time-saver. So unless I miss a big benefit (in which case it should go in the commit message), I'd prefer staying without it and keep the codebase minimal. What do you think? (By the way I try to stay alert about security updates for PyYAML and Pathspec!) |
|
Automation in this case should not be seen as a timer-saver, but as a reminder. You will be notified (by an automated pull request) when new versions of GitHub Actions are available. |
DimitriPapadopoulos
force-pushed
the
actions
branch
from
a1627cc
to
0b6aad6
Compare
|
I took time to read the documentation (especially the one you just posted https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot), and frankly I don't see the need for such a change (for the above reasons). If you're OK I'd rather keep the codebase minimal and straightforward to dive into. |
|
I see many projects hosted in GitHub use Dependabot to automatically notify of updates of dependencies. I guess they are happy with the functionality. The downside might be how complex the CI environment itself is getting – sometimes more intricate than the code itself. However, Dependabot itself is pretty simple. I would recommend adding Dependabot, but certainly can understand that you would like to avoid it in a project with few dependencies. |
DimitriPapadopoulos
force-pushed
the
actions
branch
from
0b6aad6
to
cbcd444
Compare
DimitriPapadopoulos
force-pushed
the
actions
branch
2 times, most recently
from
4806f6f
to
eaa1224
Compare
|
For what it's worth, this PR would tick a box in the issues reported by the Repo-Review of Scientific Python:
|
DimitriPapadopoulos
force-pushed
the
actions
branch
from
eaa1224
to
ad0c92a
Compare
|
OK, I note that Scientific Python encourages this. In my opinion there is no urge to keep GitHub Action files always up-to-date, and I prefer keeping this repo as simple as possible. |
DimitriPapadopoulos
force-pushed
the
actions
branch
from
ad0c92a
to
d3be61f
Compare
Configuration options for the dependabot.yml file