Enable dependabot updates to conda environment.yml file #152
Conversation
Currently in beta. Set update interval to monthly with cooldown of 7 days, and PR limit of 2 at a time.
|
|
|
The reviewer will need to re-lock the environment, right? Can we customize the dependabot message in any way? It'd be nice to include those instructions in the PR. From preliminary research, looks like we can't do this. |
|
We could add a workflow which adds a comment to a PR |
Yes
Only the commit message at https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message-- can be modified it seems.
Pangeo-docker-images has this workflow https://github.com/pangeo-data/pangeo-docker-images/blob/master/.github/workflows/PR.yml that automatically adds a |
Write `/condalock` command on dependabot PRs modifying environment.yml files. Adapted from https://github.com/pangeo-data/pangeo-docker-images/blob/2025.08.14/.github/workflows/PR.yml, with extra security hardening by Zizmor (e.g. https://docs.zizmor.sh/audits/#bot-conditions).
| jobs: | ||
| DeployPangeoBot: | ||
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name |
There was a problem hiding this comment.
workflow which adds a comment to a PR
if: github.actor == 'dependabot[bot]'?
Using a more secure variant here based on https://docs.zizmor.sh/audits/#bot-conditions that should help to avoid https://www.synacktiv.com/publications/github-actions-exploitation-dependabot
|
@mfisher87, ok if you take another look? |
Currently
in betareleased! Set update interval to monthly with cooldown of 7 days, and PR limit of 2 at a time.Hoping that this will alleviate the maintenance burden of keeping packages up to date, and make
~=pinning more feasible (xref #46 (comment)).See example in the wild at eqasim-org/ile-de-france@57f890d, with example update PR at eqasim-org/ile-de-france#358.
References: