ci(dependabot): prevent python version drift & auto-orchestrate updates#5
ci(dependabot): prevent python version drift & auto-orchestrate updates#5gildesmarais merged 4 commits intomainfrom
Conversation
Implement dynamic python-version extraction in CI workflow by parsing the Dockerfile FROM instruction. This ensures the unit test environment always matches the container runtime without manual intervention.
Add a dedicated workflow to enable GitHub's native auto-merge feature for Dependabot PRs. This allows dependencies that pass CI to be merged automatically, reducing manual maintenance overhead.
Align all Dependabot ecosystems (pip, docker, actions) to trigger weekly on Mondays at 05:00 UTC. Enable update grouping and rebase strategy to minimize PR noise and ensure a streamlined update cycle.
There was a problem hiding this comment.
Pull request overview
This PR updates dependency automation and CI so the repo’s dependency updates are more frequent/automated and CI’s Python version stays consistent with the Docker image.
Changes:
- Adjust Dependabot to run weekly with higher PR limits and updated grouping.
- Add a workflow to enable auto-merge on Dependabot PRs.
- Update CI to extract the Python version from
Dockerfileand use it forsetup-python.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/dependabot.yml | Moves Dependabot schedules to weekly and updates grouping/limits for faster dependency upkeep. |
| .github/workflows/dependabot-automerge.yml | Introduces auto-merge enablement for Dependabot PRs via GitHub CLI. |
| .github/workflows/ci.yml | Derives Python version from Dockerfile to prevent CI/image version drift. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id: get-version | ||
| run: | | ||
| # Extract version like "3.14" from "FROM python:3.14-slim..." | ||
| VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/') |
There was a problem hiding this comment.
The Dockerfile parsing step can produce an empty VERSION (e.g., if the FROM python: line changes format), which then causes a confusing failure later in setup-python. Add an explicit validation that VERSION is non-empty (and ideally print a clear error and exit non-zero) before writing to $GITHUB_OUTPUT.
| VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/') | |
| VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/') | |
| if [ -z "$VERSION" ]; then | |
| echo "Error: Failed to extract Python version from Dockerfile. Expected a line like 'FROM python:<major>.<minor>-...'" >&2 | |
| exit 1 | |
| fi |
| outputs: | ||
| python-version: ${{ steps.get-version.outputs.version }} |
There was a problem hiding this comment.
unit-tests.outputs.python-version is defined but not consumed by any downstream job/workflow. If nothing uses this output, consider removing it to avoid confusion (or add a consumer via needs.unit-tests.outputs.python-version).
| outputs: | |
| python-version: ${{ steps.get-version.outputs.version }} |
| on: pull_request | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
This workflow uses on: pull_request, but Dependabot-triggered workflows commonly receive a read-only GITHUB_TOKEN on pull_request, which will prevent gh pr merge --auto ... from enabling auto-merge/merging. Consider switching to pull_request_target (and keep the strict dependabot[bot] guard and avoid checking out PR code) so the token can have the write permissions you’ve declared.
- Add validation to Python version extraction in ci.yml - Remove unused python-version job output in ci.yml - Switch automerge trigger to pull_request_target for write permissions
gildesmarais
changed the title
This pull request updates the repository's dependency management and CI workflows to improve automation and keep dependencies more up-to-date. The main changes include configuring Dependabot to check for updates more frequently, increasing the number of open PRs, grouping dependency updates differently, and introducing automatic merging of Dependabot PRs. Additionally, the CI workflow now dynamically sets the Python version based on the
Dockerfile.Dependabot configuration improvements:
pip,github-actions, anddockerdependencies in.github/dependabot.ymlfrom monthly to weekly (Mondays at 05:00), increased the open pull request limit from 1 to 10, switched the branch merge strategy to "rebase", and renamed dependency groups for clarity. [1] [2] [3]Automation enhancements:
.github/workflows/dependabot-automerge.ymlto automatically enable auto-merge for Dependabot pull requests, streamlining dependency updates.Continuous Integration (CI) improvements:
.github/workflows/ci.ymlto dynamically extract the Python version from theDockerfileand use it when setting up Python, ensuring consistency between the CI environment and the Docker image.