Skip to content

Enable grouped Dependabot version updates for Rust #1948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 11, 2025
Merged

Enable grouped Dependabot version updates for Rust #1948

merged 1 commit into from
Apr 11, 2025

Conversation

EliahKagan
Copy link
Member

@EliahKagan EliahKagan commented Apr 11, 2025
edited
Loading

This enables version updates for Rust dependencies, with all such updates grouped into a single PR, on a monthly cadence.

When Dependabot version updates for Rust dependencies (i.e. the cargo ecosystem) were turned off in 5f2d28e for #144, Dependabot did not yet support grouped version updates.

Clustering all the PRs to occur together once per month was possible, and it was considered and decided to be unsuitable, but that is different from a single PR to update multiple dependencies.

The comment #143 (reply in thread) noted:

...bundling its updates and making it once a month or even less often would be the preferred mode of operation.

Right now I would be hesitant to change the schedule interval in fear of an onslaught of PRs every month.

On the other hand, there may be value in seeing each PR as it contains release notes and changes...

Using grouped Dependabot version updates satisfies each of those points:

  • The update PR can be set to occur once a month. (This is furthermore independent of the cadence for other ecosystems; it does not require that GitHub Actions version updates be only once a month.)
  • It is a single PR for all updates in the cargo ecosystems, not an onslaught of multiple PRs, so long as it is configured with a single group with which the exhaustive pattern * is associated.
  • The Dependabot pull request description includes any and all of release notes, changelogs, and commits since the release being upgraded from, for each of the dependencies being upgraded.

Because we already have Dependabot security updates enabled, which are created immediately for any security advisory where Dependabot can upgrade the dependency, it should not be a problem to configure Dependabot version updates on a monthly cadence.

This will include updates with breaking changes, so long as they're consistent with explicitly declared MSRV and other constraints. This shouldn't cause a problem, since CI is fairly robust, and will thus detect most breakages. When it is necessary to make changes to adapt to new versions, changes can be committed to the Dependabot feature branch for the PR (or other techniques can be used).

To see what the first Dependabot PR after these changes is likely to look like, as well as what kind of commits to its feature branch are likely to fix it up to be ready to merge, see this experiment in my fork: EliahKagan#18

The possible harm from this change is small, since the Dependabot grouped version update PRs must still be manually approved, and since this configuration can be customized, such as to ignore some dependencies or in various other ways, or even reverted.

I may request a review on the first Dependabot grouped version update PR resulting from this configuration, however. (Edit: I have done so in #1949.)

@EliahKagan EliahKagan force-pushed the version-updates branch 2 times, most recently from da5d591 to 34e243a Compare April 11, 2025 01:27
@EliahKagan
Enable grouped Dependabot version updates for Rust
db480e7 
This enables Dependabot version updates for Rust dependencies,
with all such updates grouped into a single PR, on a monthly
cadence.

When Dependabot version updates for Rust dependencies (i.e. the
`cargo` ecosystem) were turned off in 5f2d28e for GitoxideLabs#144, Dependabot
did not yet support grouped version updates.

Clustering all the PRs to occur together once per month was
possible, and it was considered and decided to be unsuitable, but
that is different from a single PR to update multiple dependencies.

The comment
GitoxideLabs#143 (reply in thread)
noted:

> [...] bundling its updates and making it once a month or even
> less often would be the preferred mode of operation.
>
> Right now I would be hesitant to change the schedule interval in
> fear of an onslaught of PRs every month.
>
> On the other hand, there may be value in seeing each PR as it
> contains release notes and changes[...]

Using *grouped* Dependabot version updates satisfies each of those
points:

- The update PR can be set to occur once a month. (This is
  furthermore independent of the cadence for other ecosystems; it
  does not require that GitHub Actions version updates be only once
  a month.)

- It is a single PR for all updates in the `cargo` ecosystems, not
  an onslaught of multiple PRs, so long as it is configured with a
  single group with which the exhaustive pattern `*` is associated.

- The Dependabot pull request description includes any and all of
  release notes, changelogs, and commits since the release being
  upgraded from, for *each* of the dependencies being upgraded.

Because we already have Dependabot security updates enabled, which
are created immediately for any security advisory where Dependabot
can upgrade the dependency, it should not be a problem to configure
Dependabot version updates on a monthly cadence.

This will include updates with breaking changes, so long as they're
consistent with explicitly declared MSRV and other constraints.
This shouldn't cause a problem, since CI is fairly robust, and will
thus detect most breakages. When it is necessary to make changes to
adapt to new versions, changes can be committed to the Dependabot
feature branch for the PR (or other techniques can be used).

To see what the first Dependabot PR after these changes is likely
to look like, as well as what kind of commits to its feature branch
are likely to fix it up to be ready to merge, see this experiment
in a fork: #18
@EliahKagan EliahKagan marked this pull request as ready for review April 11, 2025 01:30
@EliahKagan EliahKagan enabled auto-merge April 11, 2025 01:30
@EliahKagan EliahKagan merged commit c1dd079 into GitoxideLabs:main Apr 11, 2025
22 checks passed
@EliahKagan EliahKagan mentioned this pull request Apr 11, 2025
Merged
@EliahKagan EliahKagan deleted the version-updates branch April 11, 2025 02:53
This was referenced Apr 11, 2025
Closed
Closed
EliahKagan added a commit to EliahKagan/gitoxide that referenced this pull request Apr 25, 2025
@EliahKagan
Always let Dependabot propose Cargo.lock updates
b77d156 
This fixes a bug in the `dependabot.yml` configuration since GitoxideLabs#1948,
where we intend Dependabot to include the effect of `cargo update`,
but this does not happen because `dependency-type: all` was not
explicitly allowed.

This does not make an analogous change to the Dependabot
configuration for GitHub Actions, because `all` and `direct`
currently have the same effect for them (and it is not obvious how
it would work if that ever changes, or which we would prefer).

For details on why this is needed for Dependabot to update most
locked dependencies in `Cargo.lock` aside from the case where the
update is done as part of updating a `Cargo.toml` dependency, see:

- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated
- https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-allow
This was referenced Apr 25, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@EliahKagan