Adding Dependabot

[Mariatta]

I'd like to add dependabot to our projects.

• miss-islington
• bedevere
• the-knights-who-say-ni
• blurb-it
• pythondotorg

Example PR by dependabot: python/miss-islington#232

• Add dependabot-preview[bot] to the list of trusted users in our Heroku instance of the-knights-who-say-ni

Uninstall pyup-io:

• miss-islington
• bedevere
• the-knights-who-say-ni
• blurb-it
• pythondotorg

[brettcannon]

SGTM

[webknjaz]

FTR GitHub has acquired Dependabot and they are integrating things into GitHub itself.

[Mariatta]

@encukou I'm having trouble removing pyup.io integration from miss-islington. When I logged in to
https://pyup.io/account/repos/github/python/miss-islington/, it says that the integration was added by you, so I couldn't remove it.

Can you remove pyup.io integration for python/miss-islington?

Thanks

[Mariatta]

Strange, it is the same problem for blurb-it 🤔

[encukou]

Hmmm. I don't remember doing that, but here we are :)
I've removed pyup.io integration from miss-islington and blurb-it.
The integration is also set up for core-workflow (added by me), bedevere and the-knights-who-say-ni (both added by @brettcannon).
Should I remove pyup.io from core-workflow as well?

[Mariatta]

Thanks. Hmm technically pyup.io is useless in core-workflow, there is no requirements text or anything like that. Might as well remove it

[brettcannon]

If I need to remove anything just let me know.

[Mariatta]

If I need to remove anything just let me know.

I've requested dependabot to be added to bedevere and the-knights-who-say-ni. I don't have the right permission to add it directly.
Once we've added dependabot to those repos, we can remove pyup.io

[Mariatta]

Update: I requested automerge feature from dependabot (in closed beta), and it's been enabled for Python org. 🥳

[brettcannon]

Yeah, turns out I don't have admin access anymore either.

[Mariatta]

@ewdurbin can you look into installing dependabot to bedevere and the-knights-who-say-ni? Thanks.

[ewdurbin]

@Mariatta I've reviewed and approved all pending installations for dependabot.

[Mariatta]

Thanks @ewdurbin. @brettcannon if you can remove pyup from bedevere and the-knights-who-say-ni, then I think this issue can be closed. Thanks.

[brettcannon]

@Mariatta I can't as I lack admin access.

@ewdurbin could you remove pyup from https://github.com/python/bedevere and https://github.com/python/the-knights-who-say-ni?

[ewdurbin]

Done. All I could find was web hooks configured to notify pyup. Those have been removed.

[Mariatta]

Seems like we still don't have dependabot in bedevere and the-knights-who-say-ni 😥
I had to manually merge the PRs from pyup.io.
python/the-knights-who-say-ni#183
python/bedevere#177

[ewdurbin]

re Dependabot: I didn't realize we needed to do anything on the Dependabot side, that's been done and initial PRs should be opened soon.

re pyup: It's not clear to me how to further disable it.

[ewdurbin]

scratch that, found those two repos in pyup.io but still can't figure out how to disable new update PRs

[Mariatta]

Thanks! I saw the incoming PRs from dependabot 🚀

[brettcannon]

I logged into pyup.io and removed the repos explicitly so that should take care of that. I guess as long as the integrations are removed so they don't have access and we are all good?