Enable dependabot updates to conda environment.yml file #152
Conversation
Currently in beta. Set update interval to monthly with cooldown of 7 days, and PR limit of 2 at a time.
|
|
|
The reviewer will need to re-lock the environment, right? Can we customize the dependabot message in any way? It'd be nice to include those instructions in the PR. From preliminary research, looks like we can't do this. |
|
We could add a workflow which adds a comment to a PR |
Yes
Only the commit message at https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message-- can be modified it seems.
Pangeo-docker-images has this workflow https://github.com/pangeo-data/pangeo-docker-images/blob/master/.github/workflows/PR.yml that automatically adds a |
Write `/condalock` command on dependabot PRs modifying environment.yml files. Adapted from https://github.com/pangeo-data/pangeo-docker-images/blob/2025.08.14/.github/workflows/PR.yml, with extra security hardening by Zizmor (e.g. https://docs.zizmor.sh/audits/#bot-conditions).
| jobs: | ||
| DeployPangeoBot: | ||
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name |
There was a problem hiding this comment.
workflow which adds a comment to a PR
if: github.actor == 'dependabot[bot]'?
Using a more secure variant here based on https://docs.zizmor.sh/audits/#bot-conditions that should help to avoid https://www.synacktiv.com/publications/github-actions-exploitation-dependabot
|
@mfisher87, ok if you take another look? |
|
@mfisher87 let us know if you have any other thoughts. |
mfisher87
left a comment
mfisher87
left a comment
There was a problem hiding this comment.
LGTM, sorry this fell through the cracks :X
| # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference | ||
|
|
||
| version: 2 | ||
| enable-beta-ecosystems: true |
There was a problem hiding this comment.
Can this be removed now that conda support is GA?
There was a problem hiding this comment.
Actually according to dependabot/dependabot-core#2227 (comment), they rolled back general availability 😭 But I saw they recently merged https://github.com/dependabot/dependabot-core/pull/13590/files which seems to suggest that using enable-beta-ecosystems: true might work, so let's merge this in to try 🤞
There was a problem hiding this comment.
Oo nice, it did work! See PR opened at #159. There's some permissions error though so will need to fix that.
Currently
in betareleased! Set update interval to monthly with cooldown of 7 days, and PR limit of 2 at a time.Hoping that this will alleviate the maintenance burden of keeping packages up to date, and make
~=pinning more feasible (xref #46 (comment)).See example in the wild at eqasim-org/eqasim-france@57f890d, with example update PR at eqasim-org/eqasim-france#358.
References: