Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# dependabot configuration. simple by design: weekly cadence, capped pr count,
# explicit scope. update when adding new package ecosystems.
#
# pip is intentionally absent: pyproject.toml declares only `>=` floors in a
# PEP 735 dependency group (no pins, no lockfile), so version updates would
# have nothing to bump. add the ecosystem if pinned requirements or a Python
# lockfile ever land.
#
# docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2

updates:
# rust workspace at the repo root. Cargo.lock is committed, so updates
# target the exact resolved versions the CLI binary ships with.
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 5
labels:
- dependencies
- rust
commit-message:
prefix: cargo
include: scope
groups:
patch-and-minor:
update-types:
- patch
- minor

# github actions workflows (.github/workflows/).
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 3
labels:
- dependencies
- github-actions
commit-message:
prefix: actions
include: scope
groups:
actions:
patterns:
- "*"
8 changes: 3 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,12 @@ jobs:
- run: ruff check python tests

audit:
name: cargo-audit (advisory)
name: cargo-audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- run: cargo install cargo-audit --locked
# Informational until the pre-existing advisory backlog is triaged: it
# surfaces vulnerable deps in the logs without blocking merges. Flip to a
# blocking check once the tree is clean.
# Blocking: the advisory backlog was cleared with the pyo3 0.29 bump, so
# any new advisory against the committed Cargo.lock should fail CI.
- run: cargo audit
continue-on-error: true
29 changes: 14 additions & 15 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions crates/nest-python/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ name = "_nest"
crate-type = ["cdylib"]

[dependencies]
pyo3 = { version = "0.28", features = ["abi3-py312"] }
pyo3 = { version = "0.29", features = ["abi3-py312"] }
nest-format = { workspace = true }
nest-runtime = { workspace = true }
serde_json = { workspace = true }

[build-dependencies]
pyo3-build-config = "0.28"
pyo3-build-config = "0.29"
Loading