Skip to content

Fix dependabot lock-sync workflow and hold vcert/pylint#69627

Merged
dwoz merged 1 commit into
masterfrom
dwoz/dependabot-sync-fix-master
Jul 1, 2026
Merged

Fix dependabot lock-sync workflow and hold vcert/pylint#69627
dwoz merged 1 commit into
masterfrom
dwoz/dependabot-sync-fix-master

Conversation

@dwoz

@dwoz dwoz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Durable fixes so the automated Dependabot lock-file sync works and stops
producing PRs that can never pass CI.

Workflow (.github/workflows/dependabot-sync.yml)

  • Widen the Sync .lock files actor guard to also fire for salt-pr-bot.
    When the rebase bot re-pushes a dependabot branch, github.actor becomes
    salt-pr-bot[bot], which previously skipped the job and left the lock
    files stale (the root cause of the recent "deps weren't generated" PRs).

Dependabot config (.github/dependabot.yml)

  • Ignore vcert >= 0.10.0 and pylint >= 4.0.0 on every target branch.
    vcert 0.18+ hard-pins pynacl/cryptography/six against the rest of CI, and
    pylint 4.x turns pre-existing warnings into hard failures. Both are already
    deliberately held in requirements/static/ci/*.txt, so this stops
    Dependabot from re-proposing them each week and reintroducing the conflict.

Notes

  • The branch-filter gap (workflows on 3007.x/3008.x omit their own branch
    in on.pull_request.branches) is fixed in the companion PRs to those
    branches; master's workflow already lists all four.
  • No requirements changes: master already relocks clean.

Follow-up

After this and the companion branch PRs merge, the four stale Dependabot PRs
(#69586#69589) can be closed so Dependabot regenerates fresh ones against the
fixed workflow.

The Sync .lock files job skipped whenever a dependabot branch was re-pushed
by salt-pr-bot[bot] (github.actor no longer matched 'dependabot'), leaving
lock files stale. Widen the actor guard to also fire for salt-pr-bot.

Add dependabot ignore rules for vcert (>=0.10.0) and pylint (>=4.0.0): vcert
0.18+ hard-pins pynacl/cryptography/six against the rest of CI, and pylint 4.x
turns pre-existing warnings into hard failures. Both are deliberately held in
requirements, so stop dependabot from re-proposing them every week.
@dwoz dwoz requested a review from a team as a code owner July 1, 2026 22:32
@dwoz dwoz merged commit 469427d into master Jul 1, 2026
3 checks passed
@dwoz dwoz deleted the dwoz/dependabot-sync-fix-master branch July 1, 2026 22:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants