From 00297a2e46bc341bc3a4626ff7e0f7f42f27396f Mon Sep 17 00:00:00 2001 From: Genevieve Buckley <30920819+GenevieveBuckley@users.noreply.github.com> Date: Thu, 6 Jun 2024 17:07:29 +1000 Subject: [PATCH] Dependabot for plugin template and child plugins (#184) * Dependabot config for plugin template and new child plugins * Add docs about how to enable Dependabot in your github settings * Set dependabot interval to longest possible, i.e. monthly * Add dependabot question to cookiecutter, remove files if option is not requested * Add documentation about the dependabot config option * Fix typo --- .github/dependabot.yml | 13 +++++++++++++ PROMPTS.md | 16 ++++++++++++++++ README.md | 6 ++++++ cookiecutter.json | 1 + hooks/post_gen_project.py | 4 ++++ .../.github/dependabot.yml | 15 +++++++++++++++ 6 files changed, 55 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 {{cookiecutter.plugin_name}}/.github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9742139 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Dependabot configuration +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-github-dependabot-version-updates +# https://til.simonwillison.net/github/dependabot-python-setup +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: monthly + groups: + python-packages: + patterns: + - "*" \ No newline at end of file diff --git a/PROMPTS.md b/PROMPTS.md index 08e2c01..794aa3d 100644 --- a/PROMPTS.md +++ b/PROMPTS.md @@ -143,6 +143,22 @@ In order to use this option, you must run `git init` once in your package's root directory. ``` +## install_precommit + +The default for this prompt is `"n"`. + +If you choose "y" for this prompt, then [pre-commit](ttps://pre-commit.com/) will be installed. +Among other things, it includes checks for code linting and best practices in napari plugins. + +## install_dependabot + +The default for this prompt is `"n"`. + +If you choose "y" for this prompt, then a [Dependabot](https://docs.github.com/en/code-security/dependabot) configuration file will be created at `.github/dependabot.yml`. + +You will still need to enable Dependabot in your github settings, [see the instructions at this link](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). + + ## license This prompt allows you to choose from a variety of open source licensing options diff --git a/README.md b/README.md index b76cbb0..b08254e 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,12 @@ pre-commit install You can also have these checks run automatically for you when you push to github by installing [pre-commit ci](https://pre-commit.ci/) on your repository. +## Dependabot + +This template also includes a default yaml configuration for [Dependabot](https://docs.github.com/en/code-security/dependabot). This can help you check for security updates to easily update vulnerable dependencies. + +You will still need to enable Dependabot in your github settings, [see the instructions at this link](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories). Your Dependabot configuration file is located at `.github/dependabot.yml`. + ## Features - Installable [PyPI] package diff --git a/cookiecutter.json b/cookiecutter.json index c0e80f1..4ffc834 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -13,6 +13,7 @@ "include_widget_plugin": "y", "use_git_tags_for_versioning": "n", "install_precommit": "n", + "install_dependabot": "n", "license": [ "BSD-3", "MIT", diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py index 7bc2ee8..218cb18 100644 --- a/hooks/post_gen_project.py +++ b/hooks/post_gen_project.py @@ -32,6 +32,10 @@ def remove_unrequested_plugin_examples(): remove_file(f"src/{module}/_{name}.py") remove_file(f"src/{module}/_tests/test_{name}.py") logger.debug(f"removing {module}/_{name}.py") + # remove dependabot config if unrequested + {% elif key.startswith("install_dependabot") and value != 'y' %} + remove_file(".github/dependabot.yml") + logger.debug("removing .github/dependabot.yml") {% endif %} {% endfor %} diff --git a/{{cookiecutter.plugin_name}}/.github/dependabot.yml b/{{cookiecutter.plugin_name}}/.github/dependabot.yml new file mode 100644 index 0000000..0946bd1 --- /dev/null +++ b/{{cookiecutter.plugin_name}}/.github/dependabot.yml @@ -0,0 +1,15 @@ +# Dependabot configuration +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-github-dependabot-version-updates +# https://til.simonwillison.net/github/dependabot-python-setup +{% raw %} +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: monthly + groups: + python-packages: + patterns: + - "*" +{% endraw %} \ No newline at end of file