Document how to handle Dependabot pull requests. (#14916)

author: Patrick Cloke <clokep@users.noreply.github.com> 2023-01-25 14:49:37 -0500
committer: GitHub <noreply@github.com> 2023-01-25 14:49:37 -0500
commit: 8bc5d1406cb24730fd87facb8c5b29a76360782e (patch)
tree: 661175fe8542829d7e7e5bbec78387d4e0ce181c /docs/development
parent: Fix type hints in knocking tests. (#14887) (diff)
download: synapse-8bc5d1406cb24730fd87facb8c5b29a76360782e.tar.xz
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/development/dependencies.md b/docs/development/dependencies.md
index b734cc5826..c4449c51f7 100644
--- a/docs/development/dependencies.md
+++ b/docs/development/dependencies.md
@@ -258,6 +258,20 @@ because [`build`](https://github.com/pypa/build) is a standardish tool which
 doesn't require poetry. (It's what we use in CI too). However, you could try
 `poetry build` too.
 
+## ...handle a Dependabot pull request?
+
+Synapse uses Dependabot to keep the `poetry.lock` file up-to-date. When it
+creates a pull request a GitHub Action will run to automatically create a changelog
+file. Ensure that:
+
+* the lockfile changes look reasonable;
+* the upstream changelog file (linked in the description) doesn't include any
+  breaking changes;
+* continuous integration passes (due to permissions, the GitHub Actions run on
+  the changelog commit will fail, look at the initial commit of the pull request);
+
+In particular, any updates to the type hints (usually packages which start with `types-`)
+should be safe to merge if linting passes.
 
 # Troubleshooting
author	Patrick Cloke <clokep@users.noreply.github.com>	2023-01-25 14:49:37 -0500
committer	GitHub <noreply@github.com>	2023-01-25 14:49:37 -0500
commit	8bc5d1406cb24730fd87facb8c5b29a76360782e (patch)
tree	661175fe8542829d7e7e5bbec78387d4e0ce181c /docs/development
parent	Fix type hints in knocking tests. (#14887) (diff)
download	synapse-8bc5d1406cb24730fd87facb8c5b29a76360782e.tar.xz