Skip to content

Pinned actions versions and add Dependabot configuration#62

Merged
bsipocz merged 6 commits intoscientific-python:mainfrom
Zeitsperre:pinned-versions
Feb 3, 2026
Merged

Pinned actions versions and add Dependabot configuration#62
bsipocz merged 6 commits intoscientific-python:mainfrom
Zeitsperre:pinned-versions

Conversation

@Zeitsperre
Copy link
Contributor

@Zeitsperre Zeitsperre commented Feb 3, 2026

Closes #61

Changes

  • Pins Actions version to their respective commit hashes according to their versions
  • Adds a Dependabot configuration to keep this commit hashes up-to-date (quarterly scheduled)
  • Adds a Python 3.14 build to CI
  • Updates and re-runs pre-commit hooks

Discussion

The action relies on pytest and more-itertools. These could also be pinned according to their hashes if we were to use pip-tools (and also updated automatically by Dependabot). I can quickly add this on if people would like.

@Zeitsperre
pin actions to commit hashes
2cc6416 
Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com>
@Zeitsperre
add a dependabot configuration
f855b8d 
Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com>
@Zeitsperre
test against python 3.14
12336d7 
Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com>
@Zeitsperre
update and re-run pre-commit hooks
f2e91b0 
Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com>
bsipocz
bsipocz approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@bsipocz bsipocz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

Some minor comments for the config, otherwise it looks good.

Zeitsperre and others added 2 commits February 3, 2026 22:03
@Zeitsperre @bsipocz
Apply suggestion from @bsipocz
bd2f905 
Co-authored-by: Brigitta Sipőcz <b.sipocz@gmail.com>
@Zeitsperre @bsipocz
Update .github/dependabot.yml
53d55e8 
Co-authored-by: Brigitta Sipőcz <b.sipocz@gmail.com>
@bsipocz bsipocz merged commit 83ab727 into scientific-python:main Feb 3, 2026
5 checks passed
@bsipocz
Copy link
Member

bsipocz commented Feb 3, 2026

Thanks!

keewis
keewis reviewed Feb 3, 2026
View reviewed changes
action.yaml
Comment on lines 43 to 47
python -m pip install pytest more-itertools
- name: produce the issue body
shell: bash -l {0}
run: |
python $GITHUB_ACTION_PATH/parse_logs.py ${{ inputs.log-path }}
Copy link
Contributor

@keewis keewis Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd probably use uv run for this (in a new PR). Am I correct in assuming that what you're looking for is a lock file?

Copy link
Contributor Author

@Zeitsperre Zeitsperre Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, precisely. I'm not using uv yet, but that's what I had in mind using something like:

python -m pip install --require-hashes -r CI/requirements.txt

Copy link
Contributor

@keewis keewis Feb 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the only reason I used pip when writing this action is because that was the one I was most familiar with at the time. Considering that using uv would allow us to use a fully isolated env for this action and thus avoid clashing with the activated environment, I believe that would actually be a welcome side-effect.

@Zeitsperre
Copy link
Contributor Author

Zeitsperre commented Feb 3, 2026

Darn, it looks like the following is invalid:

update-types:
  - *

Better to simply drop that entry.

This was referenced Feb 10, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keewis keewis keewis left review comments

@bsipocz bsipocz bsipocz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin composite GitHub Action versions

3 participants

@Zeitsperre @bsipocz @keewis