ci: switch from dependabot to renovate#1075
Conversation
Signed-off-by: Niels Pardon <par@zurich.ibm.com>
|
Thanks @nielspardon. Can we include a description in the PR body for why we should switch from dependabot to renovate? I think it has something to do with how dependabot interacts with pixi but it would be great to have it in writing somewhere so we can reference it in the future if something comes up. Thank you! |
|
updated the description. let me know if the description looks good for you. |
| @@ -16,8 +16,11 @@ jobs: | |||
| echo 'module.exports = { | |||
| // Workaround for https://github.com/dependabot/dependabot-core/issues/5923 | |||
There was a problem hiding this comment.
Is this comment still relevant if we no longer use dependabot?
There was a problem hiding this comment.
Is there a way to validate that this works before merging?
There was a problem hiding this comment.
I've been testing this on my private fork and I found that the current pixi support for Renovate is only covering the direct Pixi dependencies in [tool.pixi.dependencies] e.g. NodeJS which when it does update the version also updates the pixi.lock file: https://github.com/nielspardon/substrait/pull/5/changes
When it updates one of the dependencies in the dev dependency group in [dependency-groups] it does not update those using the Pixi manager and Renovate thus also not updating the pixi.lock file currently: https://github.com/nielspardon/substrait/pull/7/changes
There was a problem hiding this comment.
I logged a feature request with Renovate to help us fix this gap: renovatebot/renovate#43260
There was a problem hiding this comment.
FYI: Renovate also supports postUpgradeTasks if you are hosting it yourself. When using the hosted one with the Github App it does not allow custom commands for security reasons.
There was a problem hiding this comment.
Thanks for investigating. Hopefully we can figure out something that will work for our setup.
There was a problem hiding this comment.
I opened a PR to fix renovate for pixi lock file updates: renovatebot/renovate#44004
There was a problem hiding this comment.
do we need dependency groups? in our case, what's the difference between dependencies and a dev dependency group? isn't the whole thing a single dev environment anyway?
There was a problem hiding this comment.
maybe we should discuss this in a separate issue. feels unrelated to switching from dependabot to renovate.
There was a problem hiding this comment.
yeah, just a possible shortcut 😆 doesn't really matter though if the issue is being addressed in renovate anyway
There was a problem hiding this comment.
The issue with Renovate is not caused by the dependencies being in a dependency group. We would have the same issue if they were regular Python dependencies in [project.dependencies] in pyproject.toml. The issue is that the pixi support in Renovate today would only update the pixi.lock file when suggesting a dependency update in pixi.toml or in [tool.pixi.dependencies] in pyproject.toml. This is better than dependabot which has no pixi support at all but wouldn't help since we are using pyproject.toml in this repo and no pixi.toml.
The PR I opened in Renovate which got one approval already makes sure the pixi.lock file gets updated when Python dependencies in pyproject.toml (outside of [tool.pixi.dependencies]) get bumped including dependency groups.
Whether we should declare the dependencies as project dependencies or in a dev dependency group is orthogonal in my opinion.
We are currently using dependabot which has a very limited feature set, for example it can not handle managing a
pixi.lockfile as demonstrated in https://github.com/substrait-io/substrait/actions/runs/25411815587/job/74535026421?pr=1072Renovate is also free to use and a much more powerful dependency auto update tool compared to dependabot. It can handle
pixi.lockfiles out of the box among other things like e.g. it could also be used to update Git submodules to tags instead of just the latest commit (https://docs.renovatebot.com/modules/manager/git-submodules/#updating-to-specific-tag-values).It gives a more flexibility and helps to address the issue with dependabot not handling the
pixi.lockfile properly.renovate.jsonconfig file configuring semantic commits as the commit style for Renovate and the commit type asbuildand scope asdepsto match the dependabot style following: https://docs.renovatebot.com/configuration-options/#semanticcommitscopedependabot.ymlconfiguration file to disable dependabot.This change is