Document how to handle Dependabot pull requests. (#14916)

pull/14920/head
Patrick Cloke 2023-01-25 14:49:37 -05:00 committed by GitHub
parent 836c592f15
commit 8bc5d1406c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 0 deletions

1
changelog.d/14916.misc Normal file
View File

@ -0,0 +1 @@
Document how to handle Dependabot pull requests.

View File

@ -258,6 +258,20 @@ because [`build`](https://github.com/pypa/build) is a standardish tool which
doesn't require poetry. (It's what we use in CI too). However, you could try
`poetry build` too.
## ...handle a Dependabot pull request?
Synapse uses Dependabot to keep the `poetry.lock` file up-to-date. When it
creates a pull request a GitHub Action will run to automatically create a changelog
file. Ensure that:
* the lockfile changes look reasonable;
* the upstream changelog file (linked in the description) doesn't include any
breaking changes;
* continuous integration passes (due to permissions, the GitHub Actions run on
the changelog commit will fail, look at the initial commit of the pull request);
In particular, any updates to the type hints (usually packages which start with `types-`)
should be safe to merge if linting passes.
# Troubleshooting