Add dependabot support

[dthaler]

Several github actions used by workflows are out of date and can be automatically checked by dependabot.

[dthaler]

See also PR #218 comments.

[micya]

The only concern I have is that python is notorious for being very peculiar about package versions (ex: things magically break after version upgrades). Allowing bots to auto-update without verification seems dangerous to me.

Further, there is no automatic deployment to parts of the system (ex: inference system). If there is divergence between the package versions in source vs what is deployed, a breakage may not be caught until much later where it is difficult to diagnose what exactly broke.

[dthaler]

The only concern I have is that python is notorious for being very peculiar about package versions (ex: things magically break after version upgrades). Allowing bots to auto-update without verification seems dangerous to me.

Bots cannot auto-update. Bots file a pull request that then goes through review/verification just like any other PR from a human would.

Further, there is no automatic deployment to parts of the system (ex: inference system). If there is divergence between the package versions in source vs what is deployed, a breakage may not be caught until much later where it is difficult to diagnose what exactly broke.

This PR does not change that. The same thing would happen with any human generated PR if the PR is merged without testing for breakage.

[micya]

I would not approve a PR without the author confirming that they have tested the change. A bot cannot do that. Therefore, I will not approve the bot's PRs. In that case, I don't see the value in enabling the bot.

[dthaler]

I would not approve a PR without the author confirming that they have tested the change. A bot cannot do that. Therefore, I will not approve the bot's PRs. In that case, I don't see the value in enabling the bot.

I think your comment applies to the docker part (which I've now removed) but not the github-actions part. The github actions don't affect the binaries or deployment, only what github does with pull requests or periodically. A bot can test those changes since the github workflows run on pull requests. Hence there is value in enabling the bot for such things.

[micya]

I noticed the dependabot updates modified certain GitHub Actions but did not trigger them (likely because there is a path filter on those actions). Can you take a look? Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Dave Thaler ***@***.***> Sent: Wednesday, February 26, 2025 5:08:23 PM To: orcasound/aifororcas-livesystem ***@***.***> Cc: Michelle Yang ***@***.***>; Review requested ***@***.***> Subject: Re: [orcasound/aifororcas-livesystem] Add dependabot support (PR #223) Merged #223<#223> into main. — Reply to this email directly, view it on GitHub<#223 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMZCVRPBPP3PC7DFPYEUM7T2RZCOPAVCNFSM6AAAAABX53OQ3KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJWGQ4DOOJXGY4TOMQ>. You are receiving this because your review was requested.Message ID: ***@***.***>

[dthaler]

I noticed the dependabot updates modified certain GitHub Actions but did not trigger them (likely because there is a path filter on those actions). Can you take a look?

You're right. I just triggered them manually and they all passed (as can be seen here). I can file a PR to add the relevant yml file to the paths so they trigger automatically.

[dthaler]

PR #226 filed.