chore(ci): add Dependabot to track published hotdata SDK#146
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| allow: | ||
| - dependency-name: "hotdata" |
There was a problem hiding this comment.
This config won't track crates.io releases of the SDK as intended. In Cargo.toml:20, hotdata is a git dependency pinned to a rev:
hotdata = { git = "https://github.com/hotdata-dev/sdk-rust", rev = "1687ba2...", features = ["arrow"] }Dependabot resolves updates from a dependency's declared source, not crates.io. Since the manifest sources hotdata from git, a crates.io publish is invisible to this config — the premise in the PR description and the header comment ("when a new version is published to crates.io") doesn't hold here.
For a git dependency, Dependabot's cargo updater only advances deps that track a branch (to the latest commit) or a tag; it does not reliably bump a dependency pinned to an explicit rev. So as written this is likely to open no PRs at all. And if it did advance the rev, it would bump to arbitrary default-branch commits — which directly conflicts with the deliberately pinned rev documented in Cargo.toml (the comment there explains this exact rev is the first to carry content_length on upload_stream).
To achieve the stated goal you'd need to either (a) switch the SDK to a crates.io dependency (hotdata = "x.y"), then this config works as described, or (b) track the git source explicitly (e.g. point the dep at a branch/tag and accept that Dependabot follows git, not crates.io). Please reconcile the config with how the dependency is actually sourced.
There was a problem hiding this comment.
Review
Blocking Issues
.github/dependabot.yml: The config targetshotdata, but that dependency is sourced from git pinned to arev(Cargo.toml:20), not crates.io. Dependabot resolves updates from a dependency's declared source, so the PR's stated mechanism ("when a new version is published to crates.io") does not apply. Dependabot does not reliably bump rev-pinned Cargo git deps, so this is likely to open no PRs; and if it did, it would advance to arbitrary default-branch commits, conflicting with the deliberately pinned rev documented inCargo.toml.
Action Required
Reconcile the config with how hotdata is actually consumed. Either:
- Switch the SDK to a crates.io dependency (
hotdata = "x.y"), after which this config works as described; or - Track the git source explicitly (point the dep at a
branch/tag) and update the description/comment to reflect that Dependabot follows git, not crates.io.
zfarrell
force-pushed
the
chore/dependabot-sdk
branch
from
bb75ae1 to
f8dccc7
Compare
1 participant
Adds a Dependabot config scoped to the
hotdatacrate so achore(deps)PR is opened automatically when a new SDK version is published to crates.io. Merge after #145.