Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot to update GH Actions and Python dependencies #1380

Merged
merged 2 commits into from
Feb 15, 2024

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Dec 27, 2023

Hey, it's Pedro (see #1305 and #1319) and I'm back with another security suggestion.

This PR is identical to the ones I sent to Keras and KerasCV. It configures Dependabot to monitor the GitHub Actions used in KerasNLP's workflows, as well as its Python dependencies.

I've configured Dependabot to send a single monthly PR (every 1st of the month) updating all dependencies in each ecosystem (see the PRs in my fork: pnacht#1 and pnacht#2).

I have taken the liberty of merging those dependabot PRs into this one so you don't receive such PRs right after merging this one.

Note that Dependabot will also update the tf-nightly, tf-nightly-cpu and tensorflow-text-nightly Python dependencies to the latest nightly snapshot. This will ensure you're testing on more recent versions of these unreleased dependencies. However, if you're concerned about updating to a broken nightly (which would likely be detected by failing tests on the Dependabot PR), I can configure Dependabot to ignore those dependencies so you can update them manually if you prefer.

(Following keras-team/keras#18833 (comment), I haven't sent an issue for this. Let me know if KerasNLP prefers always having an accompanying issue to discuss my contributions).

Copy link
Member

@mattdangerw mattdangerw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! @sampathweb do you know why GPU tests are not running? Would be good to check these as we are updating our requirements files.

@sampathweb sampathweb added the kokoro:force-run Runs Tests on GPU label Dec 28, 2023
@sampathweb
Copy link
Collaborator

LGTM! @sampathweb do you know why GPU tests are not running? Would be good to check these as we are updating our requirements files.

Right now, GPU tests run when we -

  • Add "Kokoro-force-run" label manually. I just did for this PR so it should run.
  • When we merge the PR to master (Runs on mater branch automatically on the merged commit).
    I have a pending activity to add this tag (via a GH Action) automatically on PR approval. But have not done it so far. I will look into it.

@@ -1,6 +1,6 @@
# Tensorflow cpu-only version.
tf-nightly-cpu==2.16.0.dev20231109 # Pin a working nightly until rc0.
tensorflow-text-nightly==2.16.0.dev20231109 # Pin a working nightly until rc0.
tf-nightly-cpu==2.16.0.dev20231227 # Pin a working nightly until rc0.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to sync the nightly version across all Keras eco system - Keras, NLP and CV. Currently keras is pinned to 11/30 and its on different schedule from dependabot. Can we sync the dependabot to update all three packages on same date? -
https://github.com/keras-team/keras/blob/master/requirements-tensorflow-cuda.txt

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, this will actually help keep these in sync!

When Dependabot is configured to run monthly (as I've done for all these projects), it always runs on the 1st of each month. So all projects will receive Dependabot PRs updating these nightlies to the last day of the previous month. Assuming all projects merge those PRs, they'll always run on the same recent versions.


Note that if this PR is merged before the end of the year, you'll immediately receive a Dependabot PR updating the nightlies to the latest version, and then receive another PR soon after, on January 1st. This actually happened in /keras and momentarily confused the maintainers, since they:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@kokoro-team kokoro-team removed the kokoro:force-run Runs Tests on GPU label Dec 28, 2023
Copy link
Collaborator

@sampathweb sampathweb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase with the master since the requirements files hv been updated.

@pnacht
Copy link
Contributor Author

pnacht commented Jan 8, 2024

Done.

@pnacht
Copy link
Contributor Author

pnacht commented Jan 8, 2024

I'm not sure why the tests are failing now... I even reverted to the currently-used nightlies to be sure...

Though I see now that HEAD seems to be broken? At least yesterday's nightly failed to build: https://github.com/keras-team/keras-nlp/actions/runs/7442707323/job/20246538837

@sampathweb
Copy link
Collaborator

@pnacht - Looks like these commits are very old. Can you rebase once more?

commit 1be8ca5
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Dec 27 18:43:45 2023 +0000

    Bump the github-actions group with 3 updates

    Bumps the github-actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [actions/setup-python](https://github.com/actions/setup-python) and [actions/cache](https://github.com/actions/cache).

    Updates `actions/checkout` from 3 to 4
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3...v4)

    Updates `actions/setup-python` from 1 to 5
    - [Release notes](https://github.com/actions/setup-python/releases)
    - [Commits](actions/setup-python@v1...v5)

    Updates `actions/cache` from 2 to 3
    - [Release notes](https://github.com/actions/cache/releases)
    - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
    - [Commits](actions/cache@v2...v3)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-major
      dependency-group: github-actions
    - dependency-name: actions/setup-python
      dependency-type: direct:production
      update-type: version-update:semver-major
      dependency-group: github-actions
    - dependency-name: actions/cache
      dependency-type: direct:production
      update-type: version-update:semver-major
      dependency-group: github-actions
    ...

    Signed-off-by: dependabot[bot] <[email protected]>
@pnacht
Copy link
Contributor Author

pnacht commented Feb 14, 2024

@sampathweb done.

@mattdangerw mattdangerw added the kokoro:force-run Runs Tests on GPU label Feb 14, 2024
@kokoro-team kokoro-team removed the kokoro:force-run Runs Tests on GPU label Feb 14, 2024
@mattdangerw mattdangerw merged commit 1322aaa into keras-team:master Feb 15, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants