Auto-updating packages

Git Workflow

When building your book, your making use of packages: the teachbooks and jupyterbook packages themselves, but also packages for extensions. These are regularly updated, while those updates are not necessarily taken into your book. This is all defined in the requirements.txt file, which is provided as part of the template. There are three options:

1. requirements.txt only contains names of packages like: download_link_replacer. In that case, your deploy-book-workflow will take the most up-to-date version when making your book website once a week (as the chache will be cleared once a week). This might lead to unexpected changes when new version come out, although new version are in general backwards compatible.

2. requirements.txt contains names of packages with a specified version like: download_link_replacer==1.0.4. In that case, your deploy-book-workflow always uses that specific version. In doing so, you’ll never get a new update unless you explicitly adapt the version in requirements.txt. If you’d like to get notified for updates, you might consider using GitHub’s Dependabot.

3. A combination of 1. and 2.: In that case (once a week at most) you will receive new versions for only the unfixed packages, no updates for the fixed versions. In this case you can also use GitHub’s Dependabot.

Notifications updated packages with Dependabot

Dependabot checks the specified version of packages in your requirements.txt file and opens a branch and pull requests whenever there’s an update available for that package. Note that package without a fixed version are ignored by Dependabot.

To activate this feature:

1. Specify version for all packages you want to be notified on in your requirements.txt file. See requirements.txt of this manual as an example

2. In the .github/ directory, add a file named dependabot.yml with the following content (note that sphinx-thebe (used in python live coding) and docutils (using in APA referencing) are ignored because these require a very specific version to work):

version: 2
updates:
  - package-ecosystem: "pip" 
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"
      time: "22:59"
    ignore:
      - dependency-name: "sphinx-thebe"
      - dependency-name: "docutils"

This will check every sunday around midnight (UTC) whether any of the fixed-version packages are updated. If so, several things will happen:

1. A new branch starting with dependabot will be created in the repository and any relevant workflows will be triggered.

2. A pull request will be created to pull the new branch into the default branch. This pull request must be manually reviewed and merged. Afterwards the dependabot branch can be deleted (automatically).

If the workflow call-deploy-book is used, and you don’t want the dependabot branches to be built and deployed (and all other branches you do want), you can achieve this by adding the next to the file call-deploy-book.yml:

on:
  push:
    branches:
    - '**'
    - '!dependabot**'

If you want another scheduled workflow, see Dependabot options reference for the options.

If you want to manually trigger the Dependabot workflow, you can do this by doing the next steps:

1. Go to your repository on Github.

2. Choose Insights.

3. Choose Dependency graph.

4. Choose Dependabot.

5. Choose Recent update jobs next to requirements.txt.

6. Choose Check for updates.