python-package-guide icon indicating copy to clipboard operation
python-package-guide copied to clipboard
verified publisher icon pyOpenSci

feat: Add contents about dependabot to guide

Open tkoyama010 opened this issue 1 year ago • 8 comments

Is the content of dependabot necessary for this guide? When managing Python packages, the dependabot configuration is very important for making the package robust.

tkoyama010 avatar Aug 18 '24 02:08 tkoyama010

@tkoyama010 it could be worth bringing this up in our packaging channel in slack and linking to this issue. See what others think and we can decide together here! I recently started using it, thanks to @pllim, and I see the value in it!! if others agree, then I think we should add a section on it to the guide.

lwasser avatar Aug 29 '24 17:08 lwasser

@all-contributors please add @tkoyama010 for idea

tkoyama010 avatar Aug 29 '24 22:08 tkoyama010

@tkoyama010

I've put up a pull request to add @tkoyama010! :tada:

allcontributors[bot] avatar Aug 29 '24 22:08 allcontributors[bot]

Dependabot is a great tool for keeping dependencies up-to-date! Not only for getting the "greatest and latest" but also for checking if your range of versions is also admitting vulnerable versions (reported by security advisories). It's great your planning on adding it!

RobPasMue avatar Aug 30 '24 07:08 RobPasMue

I think it would be great if we restructured the guides a bit to be able to give all the supplemental topics like this a home. I had made a prior pitch on this before: https://github.com/pyOpenSci/pyopensci.github.io/issues/441#issuecomment-2221840108

The "python packaging guide" already has stuff about tests and docs and whatnot, which are certainly related to packaging, as is stuff like dependabot, but i think that as we want to add more and more (which is great!) it will start to get strained and hard to navigate.

I also think it would be great to make room for things that are halfway between a blog post and an authoritative guide (i think i mentioned this in the slack? can't find it now), where eg. if someone really loves dependabot they can contribute a guide for it and have it tagged as being "guide from this person" and not have to worry so much about "does this belong in an authoritative guide."

So currently our section on CI is relatively sparse: https://www.pyopensci.org/python-package-guide/tests/tests-ci.html

and it's designed to be guide-like, read in series with the rest of the documents (which is also great!). It might be nice to have some toctree like this

guide
  packaging
    ...
  documentation
    ...
  tests
    ...
    ci -> /ci/intro
    ...
ci
  intro
  workflow_syntax
  actions
    ...
    dependabot
    ...

where we have narrative documentation part as in the guide, but then we can have arbitrary n subpages within actions that are like "here are some useful actions, this isn't part of the linear progression of the guide if you are following it, but it's a standalone reference you may encounter as you follow the guide or use independently"

sneakers-the-rat avatar Aug 30 '24 23:08 sneakers-the-rat

@all-contributors please add @sneakers-the-rat for ideas

tkoyama010 avatar Sep 01 '24 13:09 tkoyama010

@tkoyama010

I've put up a pull request to add @sneakers-the-rat! :tada:

allcontributors[bot] avatar Sep 01 '24 13:09 allcontributors[bot]

I think that we should add dependabot to the guide. it relates to security among other things.

We could consider using the diataxis framework to broadly organize content and then maybe follow @sneakers-the-rat's suggestions for other sub-content. i'm super open to this - what can i do to support making things better? I am happy to help where I can there is just a lot of work to do!! ✨

lwasser avatar May 19 '25 00:05 lwasser