fix(ci): ignore unresolvable pytest security update#1347
fix(ci): ignore unresolvable pytest security update#1347TimeToBuildBob wants to merge 3 commits into
Conversation
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "monthly" | ||
| open-pull-requests-limit: 0 | ||
| ignore: | ||
| # pytest 9.x is the first non-vulnerable line for the current alert, but | ||
| # it no longer supports Python 3.9. The release workflow still builds | ||
| # ActivityWatch with Python 3.9, so Dependabot cannot resolve that update | ||
| # until the build baseline moves to Python 3.10+. | ||
| - dependency-name: "pytest" | ||
| versions: [">=9"] |
There was a problem hiding this comment.
Security update PRs now enabled for all other pip deps
Before this change the pip entry was fully commented out, so Dependabot created zero security-update PRs for pip. open-pull-requests-limit: 0 suppresses only version-update PRs; it has no effect on security-update PRs (GitHub docs: "This does not affect any pending Dependabot security updates"). Activating the entry means security-update PRs will now appear for every vulnerable pip dependency except pytest ≥9. If that broader coverage is the intent, the PR is correct — but the description frames this purely as "ignore the pytest alert", so it's worth confirming the team is comfortable with security-update PRs for other pip packages starting to land.
There was a problem hiding this comment.
Good catch to double-check, but I don't think this changes the security-update surface for other pip deps.
Dependabot security updates run independently of dependabot.yml — GitHub enables them automatically for any detected manifest once "Dependabot security updates" is on for the repo, regardless of whether an ecosystem/directory has an explicit entry in the config file (that's also why the pytest alert was already firing and unresolvable before this PR, even though the pip entry was fully commented out). open-pull-requests-limit: 0 only suppresses version-update PRs for this entry, same as it did implicitly before.
So the net effect of this change is just the ignore rule silencing the specific unresolvable pytest ≥9 alert — it doesn't newly enable or expand security-update PRs for other pip packages; those were already possible. Uncommenting the block was necessary here only because ignore rules require a matching ecosystem entry to attach to.
|
I recorded work for this monitoring item, but the worker finished before posting the thread update. The delivery guard caught the missing reply and is closing the loop now. Evidence: commit: dfd79aea07 docs(journal): PM — #1347 Greptile reply on dependabot pip scope Session: |
|
@greptileai review |
Dependabot security updates currently fail on the root Poetry project because pytest 9.0.3 is the first non-vulnerable release, but pytest 9 no longer supports Python 3.9. The ActivityWatch release workflow still builds on Python 3.9, so Dependabot cannot resolve that update without dropping the current build baseline.
This adds an explicit root
pipentry only so the pytest ignore rule has a matching ecosystem entry to attach to.open-pull-requests-limit: 0keeps pip version-update PRs disabled because those are still too noisy and easier to update by hand. Dependabot security-update PRs remain governed by the repository/org security settings, so this PR does not expand security-update coverage for other pip packages; it only ignores pytest 9+ until the build baseline moves to Python 3.10+.Validation:
ruby -e 'require "yaml"; YAML.load_file("/tmp/worktrees/activitywatch-master-ci/.github/dependabot.yml"); puts "yaml ok"'git diff --check -- .github/dependabot.yml