1525923 - Switch from pyup to Dependabot

Status: RESOLVED FIXED

(Tree Management :: Treeherder, enhancement, P1)

Description

[Ed Morley [:emorley]]

Since:

• pyup does not appear to be actively maintained (eg we had to chase multiple times a few months ago to get the corrupt cache reset)
• dependabot is a GitHub app rather than a legacy oauth app (so doesn't have the security issues around having to use a dedicated account etc)
• dependabot supports setting a reviewer when opening a PR (unlike pyup)
• dependabot supports some of the emerging/more modern package management tools like Poetry
• dependabot also supports updating other types of dependencies, so perhaps could replace Renovate for JS deps in the future
• dependabot is now used by several other Mozilla projects who were formerly using pyup

https://dependabot.com/

Comment 1

[GitHub Bugzilla PR Linker]

Attachment: Link to GitHub pull-request: https://github.com/mozilla/treeherder/pull/4575

Comment 2

[GitHub Bugzilla PR Linker]

Attachment: Link to GitHub pull-request: https://github.com/mozilla/treeherder/pull/4582

Comment 3

[Ed Morley [:emorley]]

The Dependabot GitHub app activated via:
https://github.com/apps/dependabot/installations/new

Configs landed in:
https://github.com/mozilla/treeherder/commit/b1b3ebfa11114b10bbbb6899e2423449271064a8
https://github.com/mozilla/treeherder/commit/9d0c77620f8b5ea77f2acb84e66bd499c7551c5d

I've set Cameron as the default reviewer of these Python dep PRs, and will separately update the Renovate config to make Sarah the reviewer of the JS deps (per our chat the other day). Let me know if you'd prefer something different.

I've removed all of the old pyup webhooks/custom service user etc.

Dependabot doesn't seem to be accepting the ignored version ranges, even after switching them around. I've filed:
https://github.com/dependabot/feedback/issues/359

Comment 4

[Ed Morley [:emorley]]

All sorted now :-)