From 1b318fdca76df96136ef5164a1cc175a04622d7a Mon Sep 17 00:00:00 2001 From: WheresAlice Date: Sun, 18 Dec 2022 08:10:23 +0100 Subject: [PATCH] chore: handle dependencies better We should set specific versions of Python dependencies in requirements.txt for repeatability But we should also keep these versions updated to ensure we are handling security updates This change sets specific versions of packages in requirements.txt and automates the use of dependabot and mergify to handle upgrades --- .github/dependabot.yml | 34 +++++++++++++++++++++++++++++++ .github/mergify.yml | 29 +++++++++++++++++++++++++++ requirements.txt | 45 ++++++++++++++++++++++++++++++------------ 3 files changed, 95 insertions(+), 13 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/mergify.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..356130d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,34 @@ +version: 2 +updates: + # Maintain dependencies for python + - package-ecosystem: "pip" + target-branch: "main" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + labels: + - "chore" + open-pull-requests-limit: 10 + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + target-branch: "main" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + labels: + - "chore" + open-pull-requests-limit: 10 + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + target-branch: "main" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + labels: + - "chore" + open-pull-requests-limit: 10 diff --git a/.github/mergify.yml b/.github/mergify.yml new file mode 100644 index 0000000..91730df --- /dev/null +++ b/.github/mergify.yml @@ -0,0 +1,29 @@ +pull_request_rules: + + # =============================================================================== + # DEPENDABOT + # =============================================================================== + + - name: Automatic Merge for Dependabot Minor Version Pull Requests + conditions: + - -draft + - author~=^dependabot(|-preview)\[bot\]$ + - check-success='test (1.16.x, ubuntu-latest)' + - check-success='test (1.17.x, ubuntu-latest)' + - title~=bump [^\s]+ from ([\d]+)\..+ to \1\. + actions: + review: + type: APPROVE + message: Automatically approving dependabot pull request + merge: + method: rebase + - name: Alert on major version detection + conditions: + - author~=^dependabot(|-preview)\[bot\]$ + - check-success='Python application / build (push)' + - -title~=bump [^\s]+ from ([\d]+)\..+ to \1\. + actions: + comment: + message: "⚠️ @wheresalice: this is a major version bump and requires your attention" + assign: + users: ["wheresalice"] diff --git a/requirements.txt b/requirements.txt index 2940f4d..3949f7c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,13 +1,32 @@ -Django>=4.0,<5.0 -psycopg2-binary>=2.8 -django-phonenumber-field[phonenumberslite] -twilio -gunicorn -django-environ -whitenoise -pybrake -behave-django -freezegun -requests -codename-generator -polib +accumulation-tree==0.6.2 +asgiref==3.5.2 +beautifulsoup4==4.11.1 +behave==1.2.6 +behave-django==1.4.0 +certifi==2022.12.7 +charset-normalizer==2.1.1 +codename-generator==1.1.3 +Django==4.1.4 +django-environ==0.9.0 +django-phonenumber-field==7.0.1 +freezegun==1.2.2 +gunicorn==20.1.0 +idna==3.4 +parse==1.19.0 +parse-type==0.6.0 +phonenumberslite==8.13.2 +polib==1.1.1 +psycopg2-binary==2.9.5 +pybrake==1.10.0 +PyJWT==2.6.0 +python-dateutil==2.8.2 +pytz==2022.6 +pyudorandom==1.0.0 +requests==2.28.1 +six==1.16.0 +soupsieve==2.3.2.post1 +sqlparse==0.4.3 +tdigest==0.5.2.2 +twilio==7.15.4 +urllib3==1.26.13 +whitenoise==6.2.0