Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot for plugin template and child plugins #184

Merged
merged 6 commits into from
Jun 6, 2024
Merged

Dependabot for plugin template and child plugins #184

merged 6 commits into from
Jun 6, 2024

Conversation

GenevieveBuckley
Copy link
Contributor

@GenevieveBuckley GenevieveBuckley commented May 23, 2024
edited
Loading

Closes #120

Dependabot is a useful tool for security updates of dependencies.

It benefits our wider napari plugin ecosystem to make it as easy as possible to keep plugins up to date, and free from known security vulnerabilities.

This PR:

  • Adds a .github/dependabot.yml file, to run dependabot on the cookiecutter template repo.
  • Adds a {{cookiecutter.plugin_name}}/.github/dependabot.yml file, to run dependabot on the child plugin repo.
  • Adds a section to the cookiecutter README.md, explaining how to enable dependabot in your github settings

I modeled the .github/dependabot.yml files on the python example here: https://til.simonwillison.net/github/dependabot-python-setup

Xref: napari/napari-plugin-template#6 (both this PR and the other one are generated from the exact same branch)

@GenevieveBuckley GenevieveBuckley mentioned this pull request May 23, 2024
Closed
brisvag
brisvag approved these changes May 23, 2024
View reviewed changes
Copy link
Contributor

@brisvag brisvag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this!

@GenevieveBuckley GenevieveBuckley marked this pull request as draft May 30, 2024 01:59
@GenevieveBuckley
Copy link
Contributor Author

Decisions made in the zulip discussion:

  • There should be a question about whether users want to add dependabot to their new repositories, similar to the question about whether they want to use pre-commit.
  • We will set the dependabot frequency to run as infrequently as possible, currently this is "monthly".
    • Juan would prefer yearly, but dependabot does not support this.
    • If we later find monthly is too frequent for the parent template repository, then we can remove dependabot there and just leave it as an option for users generating new child repos

@GenevieveBuckley GenevieveBuckley marked this pull request as ready for review June 6, 2024 04:44
@GenevieveBuckley
Copy link
Contributor Author

Not sure what was happening with the flaky CI test (Windows python 3.9). There were a couple of failures there, but I can't reproduce it, and the CI checks have all passed now.

@jni jni merged commit 00297a2 into napari:main Jun 6, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jni jni jni approved these changes

@brisvag brisvag brisvag approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add dependabot to the generated plugins?
3 participants
@GenevieveBuckley @jni @brisvag