github: Add dependabot configuration #81812
Conversation
Add a GH dependabot configuration to check for updates for github actions and pip dependencies once a week. Signed-off-by: Pieter De Gendt <[email protected]>
There was a problem hiding this comment.
Thanks for finally sending the PR I kept delaying forever :)
I had done it slightly differently for the sake of having slightly better PR titles with proper prefixes based on the area. Can't recall why I didn't put any label (it might be that the dependabot "user" doesn't have permission to set them? Really don't remember, sorry) but that would be a nice addition too?
6b14bea
Yep but it is useful for GH actions nevertheless, as this can let us know when to bump the not-fully-locked-but-still-somewhat-pinned versions. |
I like yours better! The default dependabot labels aren't really useful so we should let zephyr bot do that part. EDIT: we should however |
Yes, we can simply set fixed versions in the requirements files. This would increase reproducibility and prevent packages break our users' environments. |
Fixed version would also likely introduce version incompatibles with other requirements (e.g. for downstream tooling). It also means more work on maintaining release branches, ensuring dependencies are updated in all active branches as well. We have discussed this in the past and opted not to lock on versions unless really needed. |
How about something like lock files? Having a pretty lose description of minimum versions, but then adding a refreshed lock file on each release? People can still ignore/update it, but one would be able to restore a "same-versions-as-back-then" Zephyr build environment many years in the future. |
Add a GH dependabot configuration to check for updates for github actions and pip dependencies once a week.