warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

Use grouped version updates for Dependabot

Open shenxianpeng opened this issue 9 months ago • 7 comments

What's the problem this feature will solve?

There are many pull requests for python dependency updates created by dependabot and then they are closed by github/ composite-prs, see #15907, and there are also a lot of notifications generated for watchers of the project.

image

Describe the solution you'd like

It may be best to use grouped version updates for Dependabot

As mentioned above is this README, a core reason why this Action exists is to "combine multiple Dependabot PRs into one". Work for this Action was completed before the GitHub Blog Post was published and the Dependabot Grouped Version Updates feature was released.

And it also be mentioned in the README page of combine-prs as above.

For example if use groups, it will be work like this: https://github.com/jenkinsci/kubernetes-operator/pull/1004

I see that groups seems to be used in dependabot.yml, but not for against all python dependencies, not sure why? and it doesn't seem to work. Maybe I'm mistaken.

https://github.com/pypi/warehouse/blob/fd493259d840828d4f07bd6d7027980cdf767451/.github/dependabot.yml#L21

shenxianpeng avatar May 06 '24 16:05 shenxianpeng

Hi @shenxianpeng !

Thanks for the suggestion - as you can see, we use the groups specifically for dependencies that should be updated together.

Thanks for sharing the jenkinsci link - beyond that example, can you share your experience with grouped updates?

Is the main issue here that you're receiving many notifications? That's something you can tailor on your end - wither by changing the Watching settings, or even applying an email filter.

miketheman avatar May 06 '24 18:05 miketheman

Hi @miketheman thanks for your reply!

In my view, the main problem is that a large number of pull requests are created and closed for each bump. The more natural way would be to create a pull request with grouped updates and then review and merge them. Using the groups function would be more elegant than using github/ composite-prs.

shenxianpeng avatar May 07 '24 04:05 shenxianpeng

Hey @shenxianpeng ! Thanks for the perspective.

I don't have time to tinker with this right now, but if you wanted to send a pull request with the desired changes, I'll gladly take a look.

miketheman avatar May 07 '24 15:05 miketheman

Yes. I will @miketheman

shenxianpeng avatar May 07 '24 15:05 shenxianpeng

After merging the changes, I've both seen the automatic job run as well as a manual trigger - and they both time out after ~1 hour.

Individual updates take about ~3-4 minutes to run.

Here's a docs section on timeouts and what to do for them: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-timed-out-during-its-update

It may be best us to revert the changes for now and restore the manual combine job.

miketheman avatar May 09 '24 14:05 miketheman

It may be best us to revert the changes for now and restore the manual combine job.

Yes, agree. sorry for the inconvenience. I'll use the fork repository of warehouse to look at that later.

shenxianpeng avatar May 09 '24 20:05 shenxianpeng

This is a late update. From testing, Dependabot still cannot successfully update the Python dependencies of the warehouse repository and the following error occurs. this problem should only be resolved on the Dependabot side.

image

click the log button will see

image

Troubleshoot Dependabot errors

shenxianpeng avatar Jul 31 '24 12:07 shenxianpeng