Zero-to-jupyterhub-k8s: Automate updating image dependencies
As mentioned in #1752 by @jgwerner, it could be cool/convenient to automate PRs bumping the requirements in the hub image, either with a GitHub action or dependabot config.
We have started using pip-tools (with some wrapping to run it inside our image to ensure equivalence) for the hub image, but we could probably drop the wrapper if we ran pip-compile in CI or via dependabot. Dependabot does support pip-compile so this might be pretty simple!
minrk
All 4 comments
Thanks for the mention @minrk - we could give a go at this if you'd like!
jgwerner
on 24 Aug 2020
Thanks the summary @minrk!
Related to this kind of work is automated scanning of dependencies that may have become outdated etc. Perhaps this work could be a building block to be triggered by an automated security scan as well. I don't yet understand fully what depandabot triggers on etc.
https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/1712
@jgwerner feel free to ping me for review of the dependabot work, I'm interested in learning about it!
consideRatio
on 25 Aug 2020
@consideRatio we will do our best to send a POC PR this week to test this integration and will ping you for sure 馃憤
jgwerner
on 25 Aug 2020
@consideRatio @minrk apologies for taking so long to get back to this!
I held back a bit since GH was transitioning the Dependabot to a more native configuration yaml. We have been testing the service in our org and the bot does pick up on the python dependency updates quite well. Since you are using pip-compile and the source packages are managed in *.in files I believe (it's possible that I'm still not understanding these options in particular) this setup would need to set the versioning-strategy to lockfile-only.
I submitted #1844 for review, let me know if you would like me to update any of the settings.
jgwerner
on 17 Oct 2020
Related issues
consideRatio
路
4Comments
aurashn
路
4Comments
consideRatio
路
3Comments
consideRatio
路
3Comments
consideRatio
路
4Comments