Fix dependabot lock-sync workflow and hold vcert/pylint#69627
Merged
Conversation
The Sync .lock files job skipped whenever a dependabot branch was re-pushed by salt-pr-bot[bot] (github.actor no longer matched 'dependabot'), leaving lock files stale. Widen the actor guard to also fire for salt-pr-bot. Add dependabot ignore rules for vcert (>=0.10.0) and pylint (>=4.0.0): vcert 0.18+ hard-pins pynacl/cryptography/six against the rest of CI, and pylint 4.x turns pre-existing warnings into hard failures. Both are deliberately held in requirements, so stop dependabot from re-proposing them every week.
twangboy
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Durable fixes so the automated Dependabot lock-file sync works and stops
producing PRs that can never pass CI.
Workflow (
.github/workflows/dependabot-sync.yml)Sync .lock filesactor guard to also fire forsalt-pr-bot.When the rebase bot re-pushes a dependabot branch,
github.actorbecomessalt-pr-bot[bot], which previously skipped the job and left the lockfiles stale (the root cause of the recent "deps weren't generated" PRs).
Dependabot config (
.github/dependabot.yml)vcert >= 0.10.0andpylint >= 4.0.0on every target branch.vcert 0.18+ hard-pins pynacl/cryptography/six against the rest of CI, and
pylint 4.x turns pre-existing warnings into hard failures. Both are already
deliberately held in
requirements/static/ci/*.txt, so this stopsDependabot from re-proposing them each week and reintroducing the conflict.
Notes
3007.x/3008.xomit their own branchin
on.pull_request.branches) is fixed in the companion PRs to thosebranches;
master's workflow already lists all four.masteralready relocks clean.Follow-up
After this and the companion branch PRs merge, the four stale Dependabot PRs
(#69586–#69589) can be closed so Dependabot regenerates fresh ones against the
fixed workflow.