Allowing Dependabot access to the numpy repo

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Allowing Dependabot access to the numpy repo

mattip
Administrator

In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved all our python test dependencies to a test_requirements.txt file (for building numpy the only requirement is cython). This is worthy since it unifies the different "pip install" commands across the different CI systems we use. Additionally, there are services that monitor the file and will issue a PR if any of those packages have a new release, so we can test out new versions of dependencies in a controlled fashion. Someone suggested Dependabot (thanks Ryan), which turns out to be run by a company bought by github itself.


When signing up for the service, it asks for permissions: https://pasteboard.co/IuTeWNz.png. The service is in use by other projects like cpython. Does it seem OK to sign up for this service?


Matti


_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion
Reply | Threaded
Open this post in threaded view
|

Re: Allowing Dependabot access to the numpy repo

Juan Nunez-Iglesias-2
Iā€™m confused about why it needs write access to code... if I were doing this for scikit-image I would possibly clone the code to a new repo.

On 29 Aug 2019, at 8:03 am, Matti Picus <[hidden email]> wrote:

In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved all our python test dependencies to a test_requirements.txt file (for building numpy the only requirement is cython). This is worthy since it unifies the different "pip install" commands across the different CI systems we use. Additionally, there are services that monitor the file and will issue a PR if any of those packages have a new release, so we can test out new versions of dependencies in a controlled fashion. Someone suggested Dependabot (thanks Ryan), which turns out to be run by a company bought by github itself.


When signing up for the service, it asks for permissions: https://pasteboard.co/IuTeWNz.png. The service is in use by other projects like cpython. Does it seem OK to sign up for this service?


Matti

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion
Reply | Threaded
Open this post in threaded view
|

Re: Allowing Dependabot access to the numpy repo

Ryan May-3
In reply to this post by mattip
Hi,

The answer to why Dependabot needs write permission seems to be to be able to work with private repos:


There doesn't seem to be any way around it... :(

Ryan

On Thu, Aug 29, 2019 at 12:04 AM Matti Picus <[hidden email]> wrote:

In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved all our python test dependencies to a test_requirements.txt file (for building numpy the only requirement is cython). This is worthy since it unifies the different "pip install" commands across the different CI systems we use. Additionally, there are services that monitor the file and will issue a PR if any of those packages have a new release, so we can test out new versions of dependencies in a controlled fashion. Someone suggested Dependabot (thanks Ryan), which turns out to be run by a company bought by github itself.


When signing up for the service, it asks for permissions: https://pasteboard.co/IuTeWNz.png. The service is in use by other projects like cpython. Does it seem OK to sign up for this service?


Matti

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion


--
Ryan May


_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion
Reply | Threaded
Open this post in threaded view
|

Re: Allowing Dependabot access to the numpy repo

Nathaniel Smith
AFAICT all these services work by creating branches inside your repo and then making a PR from that ā€“ they don't make their own forks. (Which makes some sense when you consider they would need tens of thousands of forked epos for all the projects they work with.)

I don't think there's any need to worry about giving GitHub Inc. (dba Dependabot) write permissions to a GitHub repo, though.

You do maybe want to set up CI so that it doesn't run on these branches, since it will also run on the PRs, and running CI twice on the same branch is slow and wasteful.

-n

On Thu, Aug 29, 2019, 01:45 Ryan May <[hidden email]> wrote:
Hi,

The answer to why Dependabot needs write permission seems to be to be able to work with private repos:


There doesn't seem to be any way around it... :(

Ryan

On Thu, Aug 29, 2019 at 12:04 AM Matti Picus <[hidden email]> wrote:

In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved all our python test dependencies to a test_requirements.txt file (for building numpy the only requirement is cython). This is worthy since it unifies the different "pip install" commands across the different CI systems we use. Additionally, there are services that monitor the file and will issue a PR if any of those packages have a new release, so we can test out new versions of dependencies in a controlled fashion. Someone suggested Dependabot (thanks Ryan), which turns out to be run by a company bought by github itself.


When signing up for the service, it asks for permissions: https://pasteboard.co/IuTeWNz.png. The service is in use by other projects like cpython. Does it seem OK to sign up for this service?


Matti

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion


--
Ryan May

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion

_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion
Reply | Threaded
Open this post in threaded view
|

Re: Allowing Dependabot access to the numpy repo

mattip
Administrator
Discussion has died down, I think the consensus is to use Dependabot. I
will proceed with allowing it access.

Thanks,

Matti


On 29/8/19 12:07 pm, Nathaniel Smith wrote:

> AFAICT all these services work by creating branches inside your repo
> and then making a PR from that ā€“ they don't make their own forks.
> (Which makes some sense when you consider they would need tens of
> thousands of forked epos for all the projects they work with.)
>
> I don't think there's any need to worry about giving GitHub Inc. (dba
> Dependabot) write permissions to a GitHub repo, though.
>
> You do maybe want to set up CI so that it doesn't run on these
> branches, since it will also run on the PRs, and running CI twice on
> the same branch is slow and wasteful.
>
> -n
>
> On Thu, Aug 29, 2019, 01:45 Ryan May <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     The answer to why Dependabot needs write permission seems to be to
>     be able to work with private repos:
>
>     https://github.com/dependabot/feedback/issues/22
>
>     There doesn't seem to be any way around it... :(
>
>     Ryan
>
>     On Thu, Aug 29, 2019 at 12:04 AM Matti Picus
>     <[hidden email] <mailto:[hidden email]>> wrote:
>
>         In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved
>         all our python test dependencies to a test_requirements.txt
>         file (for building numpy the only requirement is cython). This
>         is worthy since it unifies the different "pip install"
>         commands across the different CI systems we use. Additionally,
>         there are services that monitor the file and will issue a PR
>         if any of those packages have a new release, so we can test
>         out new versions of dependencies in a controlled fashion.
>         Someone suggested Dependabot (thanks Ryan), which turns out to
>         be run by a company bought by github itself.
>
>
>         When signing up for the service, it asks for permissions:
>         https://pasteboard.co/IuTeWNz.png. The service is in use by
>         other projects like cpython. Does it seem OK to sign up for
>         this service?
>
>
>         Matti
>
>         _______________________________________________
>         NumPy-Discussion mailing list
>         [hidden email] <mailto:[hidden email]>
>         https://mail.python.org/mailman/listinfo/numpy-discussion
>
>
>
>     --
>     Ryan May
>
>     _______________________________________________
>     NumPy-Discussion mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://mail.python.org/mailman/listinfo/numpy-discussion
>
>
> _______________________________________________
> NumPy-Discussion mailing list
> [hidden email]
> https://mail.python.org/mailman/listinfo/numpy-discussion
_______________________________________________
NumPy-Discussion mailing list
[hidden email]
https://mail.python.org/mailman/listinfo/numpy-discussion