chore: enable dependabot using uv for auto-bumping python packages #32501
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It appears `dependabot` support for `uv` is in beta, so switching it on here to see how it behaves. Depending on results, we may have to tune it or outright turn it off if it doesn't behave as expected. While reading through docs and issues, it appears that dependabot uses a bit of magic (over configuration), while making assumptions based on file names and comments in their respective headers (the requirements/*.txt files contain a comment referencing how they were generated). Some success criteria: - respecting ranges specified in `pyproject.toml` and overrides in `requierments/*.in` files - bump one lib at a time - more difficultly: alter both `requirements/*.txt` files atomically, meaning if for example `flask` is bumped in `base.txt`, it should also be updated in `development.txt`, with matching version numbers Depending on results, we'll tune configurations and report issues in the dependabot repo, give this approach a fair shot. If efforts shows signs to be a dead end, we'll likely revert to fixing up `supersetbot` with a tailored process. The bot has features (now broken since we moved from `pip-compile-multi` to `uv`) that could be desirable, like bumping all libs in a dependency branch in a single PR (bundling upgrades), and is more configurable overall, allowing for custom runs with specific parameters. More about it here: dependabot/dependabot-core#10040 (comment)
mistercrunch
requested review from
villebro,
geido,
eschutho,
rusackas,
betodealmeida,
nytai,
craig-rueda,
kgabryje and
dpgaspar
as code owners
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
I've completed my review and didn't find any issues.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Current Korbit Configuration
General Settings
Setting Value Review Schedule Automatic excluding drafts Max Issue Count 10 Automatic PR Descriptions ❌ Issue Categories
Category Enabled Documentation ✅ Logging ✅ Error Handling ✅ Readability ✅ Design ✅ Performance ✅ Security ✅ Functionality ✅ Feedback and Support
Note
Korbit Pro is free for open source projects 🎉
Looking to add Korbit to your team? Get started with a free 2 week trial here
5 tasks
rusackas
added
the
review:checkpoint
|
Let's see what happens, go dependabot! |
sadpandajoe
removed
the
review:checkpoint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It appears
dependabotsupport foruvis in beta, so switching it on here to see how it behaves. Depending on results, we may have to tune it or outright turn it off if it doesn't behave as expected.While reading through docs and issues, it appears that dependabot uses a bit of magic (over configuration), while making assumptions based on file names and comments in their respective headers (the requirements/*.txt files contain a comment referencing how they were generated).
Some success criteria:
pyproject.tomland overrides inrequierments/*.infilesrequirements/*.txtfiles atomically, meaning if for exampleflaskis bumped inbase.txt, it should also be updated indevelopment.txt, with matching version numbersDepending on results, we'll tune configurations and report issues in the dependabot repo, give this approach a fair shot. If efforts shows signs to be a dead end, we'll likely revert to fixing up
supersetbotwith a tailored process. The bot has features (now broken since we moved frompip-compile-multitouv) that could be desirable, like bumping all libs in a dependency branch in a single PR (bundling upgrades), and is more configurable overall, allowing for custom runs with specific parameters.More about it here: dependabot/dependabot-core#10040 (comment)