-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot to update GH Actions and Python dependencies #1380
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! @sampathweb do you know why GPU tests are not running? Would be good to check these as we are updating our requirements files.
Right now, GPU tests run when we -
|
requirements-jax-cuda.txt
Outdated
@@ -1,6 +1,6 @@ | |||
# Tensorflow cpu-only version. | |||
tf-nightly-cpu==2.16.0.dev20231109 # Pin a working nightly until rc0. | |||
tensorflow-text-nightly==2.16.0.dev20231109 # Pin a working nightly until rc0. | |||
tf-nightly-cpu==2.16.0.dev20231227 # Pin a working nightly until rc0. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to sync the nightly version across all Keras eco system - Keras, NLP and CV. Currently keras
is pinned to 11/30 and its on different schedule from dependabot. Can we sync the dependabot to update all three packages on same date? -
https://github.com/keras-team/keras/blob/master/requirements-tensorflow-cuda.txt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, this will actually help keep these in sync!
When Dependabot is configured to run monthly (as I've done for all these projects), it always runs on the 1st of each month. So all projects will receive Dependabot PRs updating these nightlies to the last day of the previous month. Assuming all projects merge those PRs, they'll always run on the same recent versions.
Note that if this PR is merged before the end of the year, you'll immediately receive a Dependabot PR updating the nightlies to the latest version, and then receive another PR soon after, on January 1st. This actually happened in /keras and momentarily confused the maintainers, since they:
- merged my PR setting up Dependabot ( Add dependabot to update GHA and Python deps keras#18834) on November 30th
- immediately got a Dependabot PR (Bump the python group with 4 updates keras#18856) updating the nightlies
- and then got another Dependabot PR (Bump the python group with 2 updates keras#18865) updating the nightlies the very next day (December 1st).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rebase with the master since the requirements files hv been updated.
Done. |
I'm not sure why the tests are failing now... I even reverted to the currently-used nightlies to be sure... Though I see now that HEAD seems to be broken? At least yesterday's nightly failed to build: https://github.com/keras-team/keras-nlp/actions/runs/7442707323/job/20246538837 |
@pnacht - Looks like these commits are very old. Can you rebase once more? |
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
commit 1be8ca5 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Dec 27 18:43:45 2023 +0000 Bump the github-actions group with 3 updates Bumps the github-actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [actions/setup-python](https://github.com/actions/setup-python) and [actions/cache](https://github.com/actions/cache). Updates `actions/checkout` from 3 to 4 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) Updates `actions/setup-python` from 1 to 5 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v1...v5) Updates `actions/cache` from 2 to 3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]>
5b8d82a
to
c239c7a
Compare
@sampathweb done. |
Hey, it's Pedro (see #1305 and #1319) and I'm back with another security suggestion.
This PR is identical to the ones I sent to Keras and KerasCV. It configures Dependabot to monitor the GitHub Actions used in KerasNLP's workflows, as well as its Python dependencies.
I've configured Dependabot to send a single monthly PR (every 1st of the month) updating all dependencies in each ecosystem (see the PRs in my fork: pnacht#1 and pnacht#2).
I have taken the liberty of merging those dependabot PRs into this one so you don't receive such PRs right after merging this one.
Note that Dependabot will also update the
tf-nightly
,tf-nightly-cpu
andtensorflow-text-nightly
Python dependencies to the latest nightly snapshot. This will ensure you're testing on more recent versions of these unreleased dependencies. However, if you're concerned about updating to a broken nightly (which would likely be detected by failing tests on the Dependabot PR), I can configure Dependabot to ignore those dependencies so you can update them manually if you prefer.(Following keras-team/keras#18833 (comment), I haven't sent an issue for this. Let me know if KerasNLP prefers always having an accompanying issue to discuss my contributions).