Need: Python Dependency Check Script

ghutchis · November 8, 2024, 8:12pm

For some of the Python users out here, it would be really helpful to have a script to check the external dependencies for updates (like Dependabot), e.g.

github.com

OpenChemistry/openchemistry/blob/d31cbd9ea0c0c11a12303455317cf0bc2d215044/cmake/projects.cmake

unset(projects)

# Eigen
list(APPEND projects eigen)
set(eigen_version "3.4.0")
set(eigen_url "https://gitlab.com/libeigen/eigen/-/archive/${eigen_version}/eigen-${eigen_version}.tar.gz")
set(eigen_md5 "4c527a9171d71a72a9d4186e65bea559")

# glew
list(APPEND projects glew)
set(glew_version "2.2.0")
set(glew_url "https://github.com/nigels-com/glew/releases/download/glew-${glew_version}/glew-${glew_version}.tgz")
set(glew_md5 "3579164bccaef09e36c0af7f4fd5c7c7")

# gtest
list(APPEND projects gtest)
set(gtest_version "1.13.0")
set(gtest_url "https://github.com/google/googletest/archive/refs/tags/v${gtest_version}.tar.gz")
set(gtest_md5 "95b29f0038ec84a611df951d74d99897")

This file has been truncated. show original

The basic idea would be to check the releases for eigen, libarchive, etc., see if it changed (e.g. libarchive) compute the md5 checksum, and create a patch for the projects.cmake file.

I can help with turning the script into a GitHub action that will create a pull request and test that the builds work.

ghutchis · November 8, 2024, 8:12pm

This of course mostly helps Windows and Mac builds, but we have plenty of those

matterhorn103 · November 8, 2024, 10:10pm

Dependabot can’t handle this?

ghutchis · November 9, 2024, 12:10am

Sadly, not at the moment.

Thomas · November 10, 2024, 6:24pm

For GitHub, there is an API which can be addressed (for instance) with Python; indeed, PyPI holds a couple of libraries to write a script to build a monitor-like action, for instance PyGithub.

Derived from a fork of a project here, I cobbled together a starter script:

starter.py (2.9 KB)

This one relies on the side of the projects monitored to label new releases as such. The demo GitHub token included (will expire in about 2 days, no extended privileges) is “a classic one” from GitHub’s GUI interface which I experience as a contact to the GitHub API more reliable, and more efficient. (Else, there is throttle of x request per y amount of time passing a list of requests easily triggers a throttle on behalf of GitHub to prevent a DDoS attack.)

Conceptually I would request this script to write a permanent record. The second time to let this script run already can be by a cron job (as here) where a logic like

cmp - previous_check.txt --silent || \

(.yml file line 71) advances only if checking the report “now” with the state “last time” differs.

This doodle doesn’t address GitLab. But given many packages of Debian are hosted there which include a watchfile to inform the Debian developers if there was an edit by maintainers of a project hosted on GitLab, a similar solution might be available for the projects on GitLab, too.

Since I have a notifying bookmark of update scanner on Jmol’s sourceforge page, there should be a non-GUI based solution for the projects there, too.