Introduce renovate dependency manager#297
Conversation
No longer needed for quite a while now, and the build-system is hatchling not setuptools, so it shouldn't even work properly. Signed-off-by: Cristian Le <git@lecris.dev>
Primarily needed for tests and docs for downstream packaging, but in practice, there is no reason to be conservative on the sdist size for non-compiled python packages. Only packagers would be using the sdist and they would rather have the source as close to the git archive as possible (and hatchling does that by default) Signed-off-by: Cristian Le <git@lecris.dev>
Trying to mirror all existing checks into pre-commit. `mypy` was intentionally left out because it does not work well with dependencies Signed-off-by: Cristian Le <git@lecris.dev>
These are not yet being used in the CI or Makefile. More design work is needed Signed-off-by: Cristian Le <git@lecris.dev>
Also convert them to `dependency-groups` Signed-off-by: Cristian Le <git@lecris.dev>
The upgrades is postponed to use uv.lock instead or pylock.toml if pip learns how to use it Signed-off-by: Cristian Le <git@lecris.dev>
Signed-off-by: Cristian Le <git@lecris.dev>
Signed-off-by: Cristian Le <git@lecris.dev>
Signed-off-by: Cristian Le <git@lecris.dev>
|
I don't think I want to enable renovatebot, dependabot, or any other automated updates, in this project. This is a hobby project for me. I don't get paid to do any of this. I simply don't want the noise of constant incoming automated PRs that I would feel compelled to look into. I want to prioritize PRs from human beings (which I'm sure you've noticed isn't always timely either, and I'm sorry about that). I dislike what regularly merged automated PRs do to a project's git history and authorship. I've looked at projects where the git history is all "Bump foo from v1.2.3 to v1.2.4" and "Update dependency bar to v1.2.5", and the top contributors are dependabot and renovatebot. I think it's just noise. Finally, I think the automated changes give a false sense of a project's activity. I value being able to look at a project and gauge how active it has been recently. I want to give a real picture about the human effort being put into the project, even if it's not very active at times. I've seen projects that make releases with dozens of automated updates only, and that's pretty much the opposite of what I want to do. I still very much appreciate the other cleanups and improvements in the PR, but I think they're being covered by other PRs now. |
This is precisely why I recommend renovatebot instead of dependabot. Belive me I understand your situation as I maintain a similar project that at best releases once a year for new python releases. The reason for renovatebot is that it creates only 1 PR which you can attend to it at your own pace. It would just rebase itself whenever a newer dependency is found. |
2 participants
This requires onboarding the renovate Github App: https://docs.renovatebot.com/getting-started/installing-onboarding/#hosted-githubcom-app
In principle this should update the pre-commits, github actions and uv.lock file all in only 2 PRs:
One big advantage of renovate over dependabot is that renovate will rebase its PRs instead of constantly closing and opening new ones, so you are more free to attend to them at your own time.
Renovate can show you the expected changes of this, but it can only work with branches on the same repo, so I can only show its report on my fork: LecrisUT#2 (comment)
Depends on: #295