ci: switch back to dependabot (with custom config) (#53)

feeph · web-flow · commit 53dcd74d9bfb · 2024-08-13T10:35:47.000+02:00
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,27 @@
+---
+# enable dependabot's scanning but do not allow creation of pull requests
+# (please use 'scripts/update_dependencies' to update the dependencies)
+# 
+# - dependabot does not understand PEP-621 repositories (pyproject.toml)
+# - dependabot expects the filename to end in '<...>requirements.txt' and
+#   ignores requirements-dev.txt ('dev-requirements.txt' would work but
+#   that's kinda stupid since the requirements files are no longer grouped
+#   by name -> we should optimize for humans instead of computers)
+# - renovate supports PEP-621 but it gets confused since we provide
+#   requirements.txt which makes it ignore pyproject.toml and pdm.lock
+#
+# --> provide our own mechanism to update requirements*.txt AND pdm.lock
+
+version: 2
+
+updates:
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "13:00"
+    groups:
+      python-packages:
+        patterns:
+          - "*"
+    open-pull-requests-limit: 0
diff --git a/renovate.json b/renovate.json
diff --git a/scripts/update_dependencies b/scripts/update_dependencies
@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# update Python dependencies using PDM
+# (requires `gh auth login`)
+#
+
+set -e
+set -u
+
+branch_name="fb-update-dependencies_`date +'%s'`"
+
+git stash save
+current_branch=`git branch --show-current`
+git checkout master
+git pull
+git checkout -b $branch_name
+pdm update --update-all
+git add --update
+git commit -m "chore: update dependencies (pdm update --update-all)"
+git push --set-upstream origin $branch_name
+git checkout $current_branch
+
+# restore original state
+git checkout $current_branch
+if git stash show ; then
+    git stash pop
+fi
+
+# if present: use GitHub CLI tools to create a pull request
+if command -v gh >/dev/null ; then
+    # I'm sorry but this is the best I could come up with to test if there
+    # is a label "dependencies".
+    #  - 'gh label list' limits its output to 30 tags
+    #  - '--search' will find close matches (e.g. typos) and is not reliable
+    #  - --jq='.[] | select(.name=="...")' does not indicate if there was no
+    #    result ('...|jq -e' would, but that would require jq to be installed)
+    if ! gh label list --search="dep" --json='name' --jq='.[]["name"]'|grep -q "^dependencies$" ; then
+        gh label create dependencies --color="#0366d6"
+    fi
+    gh pr create --assignee="@me" --base=master --head=$branch_name --fill --label="dependencies"
+else
+    echo "GitHub CLI tools not found. Unable to create a pull request."
+    echo "-> https://github.com/cli/cli"
+fi
