Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,18 @@ updates:
interval: "monthly"

# Maintain dependencies for pip/poetry
# NOTE: too noisy, easier to update by hand
#- package-ecosystem: "pip"
# directory: "/"
# schedule:
# interval: "monthly"
# NOTE: version updates are too noisy and easier to update by hand.
# Security updates are still controlled by the repository security settings;
# this entry exists so Dependabot can attach the pytest ignore rule below.
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 0
ignore:
# pytest 9.x is the first non-vulnerable line for the current alert, but
# it no longer supports Python 3.9. The release workflow still builds
# ActivityWatch with Python 3.9, so Dependabot cannot resolve that update
# until the build baseline moves to Python 3.10+.
- dependency-name: "pytest"
versions: [">=9"]
Comment on lines +20 to +31

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Security update PRs now enabled for all other pip deps

Before this change the pip entry was fully commented out, so Dependabot created zero security-update PRs for pip. open-pull-requests-limit: 0 suppresses only version-update PRs; it has no effect on security-update PRs (GitHub docs: "This does not affect any pending Dependabot security updates"). Activating the entry means security-update PRs will now appear for every vulnerable pip dependency except pytest ≥9. If that broader coverage is the intent, the PR is correct — but the description frames this purely as "ignore the pytest alert", so it's worth confirming the team is comfortable with security-update PRs for other pip packages starting to land.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch to double-check, but I don't think this changes the security-update surface for other pip deps.

Dependabot security updates run independently of dependabot.yml — GitHub enables them automatically for any detected manifest once "Dependabot security updates" is on for the repo, regardless of whether an ecosystem/directory has an explicit entry in the config file (that's also why the pytest alert was already firing and unresolvable before this PR, even though the pip entry was fully commented out). open-pull-requests-limit: 0 only suppresses version-update PRs for this entry, same as it did implicitly before.

So the net effect of this change is just the ignore rule silencing the specific unresolvable pytest ≥9 alert — it doesn't newly enable or expand security-update PRs for other pip packages; those were already possible. Uncommenting the block was necessary here only because ignore rules require a matching ecosystem entry to attach to.

2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ test:
@for module in $(TESTABLES); do \
echo "Running tests for $$module"; \
if [ -f "$$module/pyproject.toml" ]; then \
(cd $$module && poetry run make test) || { echo "Error in $$module tests"; exit 2; }; \
(cd $$module && poetry install && poetry run make test) || { echo "Error in $$module tests"; exit 2; }; \
else \
make -C $$module test || { echo "Error in $$module tests"; exit 2; }; \
fi; \
Expand Down
Loading