ci: add automated dependency version checking and Dependabot config #1404
Open
Danyal-Faheem wants to merge 3 commits into
Open
ci: add automated dependency version checking and Dependabot config #1404Danyal-Faheem wants to merge 3 commits into
Danyal-Faheem wants to merge 3 commits into
Conversation
Two new automation files that keep Tutor's third-party dependencies up to date without manual tracking. **check-dependencies.yml** — a scheduled workflow (every Monday at 9 AM UTC) that checks whether the Docker images pinned in tutor/templates/config/defaults.yml are up to date within their designated version cycle. For each outdated image it opens a separate PR that updates the version string via gha-find-replace and adds a scriv changelog entry. The version cycle for each dependency is encoded in a strategy matrix, so bumping to a new cycle (e.g. MySQL 8.4 → 9.x) is a deliberate one-line edit to the matrix rather than an automated decision. Major-version upgrades that require migration code remain manual. Tracked dependencies: Caddy 2.x, MySQL 8.4.x, MongoDB 7.0.x, Redis 7.4.x. **dependabot.yml** — enables Dependabot for three ecosystems on a weekly schedule: github-actions (keeps workflow action pins current), docker (tracks base images in Dockerfiles under tutor/templates/build/openedx and tutor/templates/build/permissions), and pip (tracks Python requirements under requirements/). Python and Node.js versions in tutor/templates/build/openedx/Dockerfile are intentionally excluded: those are controlled by upstream OpenEdX and must not be bumped independently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I recognized this issue after seeing #1400. Thought it would be a good contribution.
Two new automation files that keep Tutor's third-party dependencies up
to date without manual tracking.
check-dependencies.yml — a scheduled workflow (every Monday at 9 AM
UTC) that checks whether the Docker images pinned in
tutor/templates/config/defaults.yml are up to date within their
designated version cycle. For each outdated image it opens a separate
PR that updates the version string via gha-find-replace and adds a
scriv changelog entry. The version cycle for each dependency is encoded
in a strategy matrix, so bumping to a new cycle (e.g. MySQL 8.4 → 9.x)
is a deliberate one-line edit to the matrix rather than an automated
decision. Major-version upgrades that require migration code remain
manual. Tracked dependencies: Caddy 2.x, MySQL 8.4.x, MongoDB 7.0.x,
Redis 7.4.x.
Sample outputs from the action for the current release branch are here:
https://github.com/Danyal-Faheem/tutor/pulls/app%2Fgithub-actions
dependabot.yml — enables Dependabot for three ecosystems on a
weekly schedule: github-actions (keeps workflow action pins current),
docker (tracks base images in Dockerfiles under
tutor/templates/build/openedx and tutor/templates/build/permissions),
and pip (tracks Python requirements under requirements/).
Sample outputs from the action for the current release branch are here:
https://github.com/Danyal-Faheem/tutor/pulls/app%2Fdependabot
I see this would also resolve #1398.
Python and Node.js versions in tutor/templates/build/openedx/Dockerfile
are intentionally excluded: those are controlled by upstream OpenEdX and
must not be bumped independently.
Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com