Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependabot to update GitHub Actions and Python dependencies #2259

Merged
merged 3 commits into from
Dec 27, 2023
Merged

Add dependabot to update GitHub Actions and Python dependencies #2259

merged 3 commits into from
Dec 27, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Dec 21, 2023

What does this PR do?

Hey, it's Pedro (see #2075 and #2142) and I'm back with another security suggestion.

This PR is equivalent to the one I sent to Keras: keras-team/keras#18834. It configures Dependabot to monitor the GitHub Actions used in KerasCV's workflows, as well as its Python dependencies.

Dependabot is configured to send a single monthly PR (every 1st of the month) updating all dependencies in each ecosystem (see the PRs in my fork updating GHAs and Python deps).

I have taken the liberty of merging those dependabot PRs into this one so you don't receive such PRs right after merging this one.

Note that Dependabot will also update the tf-nightly and tf-nightly-cpu Python dependencies to the latest nightly snapshot. This will ensure you're running on a more recent version of TF. However, if you're concerned about updating to a broken nightly (which would likely be detected by failing tests on the Dependabot PR), I can configure Dependabot to ignore those dependencies so you can update manually.

(Following keras-team/keras#18833 (comment), I haven't sent an issue for this. Let me know if KerasCV prefers always having an accompanying issue to discuss the contribution).

Before submitting

  • This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case).
  • Did you read the contributor guideline,
    Pull Request section?
  • Was this discussed/approved via a Github issue? Please add a link
    to it if that's the case.
  • Did you write any new necessary tests?
  • If this adds a new model, can you run a few training steps on TPU in Colab to ensure that no XLA incompatible OP are used?

Who can review?

Anyone! @divyashreepathihalli @sampathweb

pnacht and others added 3 commits December 21, 2023 14:04
@pnacht
Add dependabot to monitor GHA and Python
8ad9a31 
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@dependabot
Bump GitHub Actions to latest versions
cbce6c5 
Bumps the github-actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `4` |
| [actions/setup-python](https://github.com/actions/setup-python) | `4` | `5` |
| [actions/cache](https://github.com/actions/cache) | `2` | `3` |
| [DoozyX/clang-format-lint-action](https://github.com/doozyx/clang-format-lint-action) | `0.14` | `0.17` |
| [devcontainers/ci](https://github.com/devcontainers/ci) | `0.2` | `0.3` |


Updates `actions/checkout` from 3 to 4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v4)

Updates `actions/setup-python` from 4 to 5
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v4...v5)

Updates `actions/cache` from 2 to 3
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v2...v3)

Updates `DoozyX/clang-format-lint-action` from 0.14 to 0.17
- [Release notes](https://github.com/doozyx/clang-format-lint-action/releases)
- [Commits](DoozyX/clang-format-lint-action@v0.14...v0.17)

Updates `devcontainers/ci` from 0.2 to 0.3
- [Release notes](https://github.com/devcontainers/ci/releases)
- [Commits](devcontainers/ci@v0.2...v0.3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: DoozyX/clang-format-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: devcontainers/ci
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump Python dependencies to latest versions
18a451f 
Bumps the python group with 4 updates: [tf-nightly-cpu](https://github.com/tensorflow/tensorflow), torch, torchvision and [tf-nightly[and-cuda]](https://github.com/tensorflow/tensorflow).


Updates `tf-nightly-cpu` from 2.16.0.dev20231109 to 2.16.0.dev20231221
- [Release notes](https://github.com/tensorflow/tensorflow/releases)
- [Changelog](https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md)
- [Commits](https://github.com/tensorflow/tensorflow/commits)

Updates `torch` from 2.1.0 to 2.1.2+cu118

Updates `torchvision` from 0.16.0 to 0.16.2+cu118

Updates `tf-nightly[and-cuda]` from 2.16.0.dev20231109 to 2.16.0.dev20231221
- [Release notes](https://github.com/tensorflow/tensorflow/releases)
- [Changelog](https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md)
- [Commits](https://github.com/tensorflow/tensorflow/commits)

---
updated-dependencies:
- dependency-name: tf-nightly-cpu
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: torch
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: torchvision
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: tf-nightly[and-cuda]
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
mattdangerw
mattdangerw approved these changes Dec 21, 2023
View reviewed changes
Copy link
Member

@mattdangerw mattdangerw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks good to me! Bumping nightlies via dependabot sounds fine, I believe our testing would turn up any issues if we found them.

Added @sampathweb to look too, he's been doing a lot with Keras CI generally.

requirements-torch-cuda.txt

# Torch with cuda support.
--extra-index-url https://download.pytorch.org/whl/cu118
torch==2.1.0
torchvision==0.16.0
torch==2.1.2+cu118
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this is sync with our pinned torch versions for keras itself?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean if this is the same version of torch used at keras-team/keras?

In that case, the version is currently not the same. They're running torch 2.1.1, since 2.1.2 was released Dec 14, and their last Dependabot run was Dec 1st.

Once Dependabot runs again (Jan 1) and both projects merge their respective PRs, the versions will always match.

@mattdangerw
Copy link
Member

(Following keras-team/keras#18833 (comment), I haven't sent an issue for this. Let me know if KerasCV prefers always having an accompanying issue to discuss the contribution).

I think going straight to a PR is always welcome if the proposed change is clear. Helps anchor the discussion.

For big features (e.g. new API symbols), or places where the potential changes are unclear, an issue is probably worth it.

@divyashreepathihalli divyashreepathihalli added the kokoro:force-run Runs Tests on GPU label Dec 27, 2023
@kokoro-team kokoro-team removed the kokoro:force-run Runs Tests on GPU label Dec 27, 2023
@divyashreepathihalli divyashreepathihalli merged commit 6a0ef44 into keras-team:master Dec 27, 2023
9 of 10 checks passed
This was referenced Dec 27, 2023
Merged
Merged
Open
Closed
yuvraj-wale pushed a commit to yuvraj-wale/keras-cv that referenced this pull request Feb 8, 2024
@pnacht @dependabot @yuvraj-wale
Add dependabot to update GitHub Actions and Python dependencies (kera…
b68995c 
…s-team#2259)

* Add dependabot to monitor GHA and Python

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Bump GitHub Actions to latest versions

Bumps the github-actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `4` |
| [actions/setup-python](https://github.com/actions/setup-python) | `4` | `5` |
| [actions/cache](https://github.com/actions/cache) | `2` | `3` |
| [DoozyX/clang-format-lint-action](https://github.com/doozyx/clang-format-lint-action) | `0.14` | `0.17` |
| [devcontainers/ci](https://github.com/devcontainers/ci) | `0.2` | `0.3` |


Updates `actions/checkout` from 3 to 4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v4)

Updates `actions/setup-python` from 4 to 5
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v4...v5)

Updates `actions/cache` from 2 to 3
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v2...v3)

Updates `DoozyX/clang-format-lint-action` from 0.14 to 0.17
- [Release notes](https://github.com/doozyx/clang-format-lint-action/releases)
- [Commits](DoozyX/clang-format-lint-action@v0.14...v0.17)

Updates `devcontainers/ci` from 0.2 to 0.3
- [Release notes](https://github.com/devcontainers/ci/releases)
- [Commits](devcontainers/ci@v0.2...v0.3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: DoozyX/clang-format-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: devcontainers/ci
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump Python dependencies to latest versions

Bumps the python group with 4 updates: [tf-nightly-cpu](https://github.com/tensorflow/tensorflow), torch, torchvision and [tf-nightly[and-cuda]](https://github.com/tensorflow/tensorflow).


Updates `tf-nightly-cpu` from 2.16.0.dev20231109 to 2.16.0.dev20231221
- [Release notes](https://github.com/tensorflow/tensorflow/releases)
- [Changelog](https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md)
- [Commits](https://github.com/tensorflow/tensorflow/commits)

Updates `torch` from 2.1.0 to 2.1.2+cu118

Updates `torchvision` from 0.16.0 to 0.16.2+cu118

Updates `tf-nightly[and-cuda]` from 2.16.0.dev20231109 to 2.16.0.dev20231221
- [Release notes](https://github.com/tensorflow/tensorflow/releases)
- [Changelog](https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md)
- [Commits](https://github.com/tensorflow/tensorflow/commits)

---
updated-dependencies:
- dependency-name: tf-nightly-cpu
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: torch
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: torchvision
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
- dependency-name: tf-nightly[and-cuda]
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattdangerw mattdangerw mattdangerw approved these changes

@divyashreepathihalli divyashreepathihalli divyashreepathihalli approved these changes

@sampathweb sampathweb Awaiting requested review from sampathweb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pnacht @mattdangerw @divyashreepathihalli @kokoro-team