[Numpy-discussion] Allowing Dependabot access to the numpy repo

Matti Picus matti.picus at gmail.com
Sun Sep 1 03:46:47 EDT 2019 

Discussion has died down, I think the consensus is to use Dependabot. I 
will proceed with allowing it access.

Thanks,

Matti


On 29/8/19 12:07 pm, Nathaniel Smith wrote:
> AFAICT all these services work by creating branches inside your repo 
> and then making a PR from that – they don't make their own forks. 
> (Which makes some sense when you consider they would need tens of 
> thousands of forked epos for all the projects they work with.)
>
> I don't think there's any need to worry about giving GitHub Inc. (dba 
> Dependabot) write permissions to a GitHub repo, though.
>
> You do maybe want to set up CI so that it doesn't run on these 
> branches, since it will also run on the PRs, and running CI twice on 
> the same branch is slow and wasteful.
>
> -n
>
> On Thu, Aug 29, 2019, 01:45 Ryan May <rmay31 at gmail.com 
> <mailto:rmay31 at gmail.com>> wrote:
>
>     Hi,
>
>     The answer to why Dependabot needs write permission seems to be to
>     be able to work with private repos:
>
>     https://github.com/dependabot/feedback/issues/22
>
>     There doesn't seem to be any way around it... :(
>
>     Ryan
>
>     On Thu, Aug 29, 2019 at 12:04 AM Matti Picus
>     <matti.picus at gmail.com <mailto:matti.picus at gmail.com>> wrote:
>
>         In PR 14378 https://github.com/numpy/numpy/pull/14378 I moved
>         all our python test dependencies to a test_requirements.txt
>         file (for building numpy the only requirement is cython). This
>         is worthy since it unifies the different "pip install"
>         commands across the different CI systems we use. Additionally,
>         there are services that monitor the file and will issue a PR
>         if any of those packages have a new release, so we can test
>         out new versions of dependencies in a controlled fashion.
>         Someone suggested Dependabot (thanks Ryan), which turns out to
>         be run by a company bought by github itself.
>
>
>         When signing up for the service, it asks for permissions:
>         https://pasteboard.co/IuTeWNz.png. The service is in use by
>         other projects like cpython. Does it seem OK to sign up for
>         this service?
>
>
>         Matti
>
>         _______________________________________________
>         NumPy-Discussion mailing list
>         NumPy-Discussion at python.org <mailto:NumPy-Discussion at python.org>
>         https://mail.python.org/mailman/listinfo/numpy-discussion
>
>
>
>     -- 
>     Ryan May
>
>     _______________________________________________
>     NumPy-Discussion mailing list
>     NumPy-Discussion at python.org <mailto:NumPy-Discussion at python.org>
>     https://mail.python.org/mailman/listinfo/numpy-discussion
>
>
> _______________________________________________
> NumPy-Discussion mailing list
> NumPy-Discussion at python.org
> https://mail.python.org/mailman/listinfo/numpy-discussion

More information about the NumPy-Discussion mailing list