Updating Dependencies

GOATS uses Dependabot to automatically check for dependency updates. Dependabot is a GitHub-native automation tool that monitors dependency files (e.g., pyproject.toml and uv.lock) and creates pull requests (PRs) when new versions of packages are available.

A dedicated GitHub Action groups dependency updates into five categories:

  • dependencies

  • development-dependencies

  • documentation-dependencies

  • notebook-dependencies

  • github-actions

Dependabot runs weekly and creates PRs every Monday with any available updates.

GOATS is an application and not a library depended upon by others, so its dependencies should be kept as current as possible. Updates must be performed carefully because GOATS relies on both DRAGONS and TOMToolkit, and all dependencies must be available on conda-forge.

Before approving or merging any update:

  1. Verify that the new release is available on conda-forge or that it can be published there if maintained internally. (See the section Conda-Forge Maintenance for details.)

  2. Confirm that DRAGONS and TOMToolkit support the proposed versions. DRAGONS, for example, depends on specific astropy versions.

Dependency Categories

dependencies

These are the core runtime dependencies for GOATS and must all be available on conda-forge.

  • Require the most careful review and testing.

  • Review release notes and changelogs before merging.

  • Test both the web application and the CLI components.

  • Run the full test suite with pytest.

  • Proceed cautiously to maintain compatibility with DRAGONS and TOMToolkit.

  • TOMToolkit updates may alter templates or static assets, so the UI should be checked thoroughly.

development-dependencies

Used for local and CI development tools (e.g., linters, formatters, test utilities).

  • Generally safe and simple to update.

  • Run the full test suite with pytest after updating.

  • These dependencies do not need to be on conda-forge.

documentation-dependencies

Used by ReadTheDocs to build project documentation.

  • Follow the same process as development dependencies.

  • Typically low-risk and can be merged after confirming the documentation builds successfully.

notebook-dependencies

Used only for running and testing local Jupyter notebooks.

  • Can be updated immediately.

  • Require minimal testing.

github-actions

Used to keep the GitHub Actions workflows up to date. Dependabot will check for new versions of actions defined in the repository’s workflow files.

  • These updates do not modify pyproject.toml or uv.lock.

  • Dependabot manages these PRs automatically.

  • Validate the affected workflow if possible to confirm it still functions as expected.

  • If the action cannot easily be tested (e.g., publishing or deployment workflows), assume it will continue to function correctly until the next applicable run.

How to Update

  1. Dependabot opens pull requests every Monday for detected updates.

  2. For each PR:

  • Create a Jira ticket under the Epic GOATS-732 - Dependabot Updates.

  • Use the PR title as the Jira story title.

  • If the PR title is too generic (e.g., “Bump dependencies”), append version details (e.g., “Update astropy to 6.0.2”).

  1. Add the ticket to the current sprint.

Note

github-actions updates do not require any further steps beyond ticket creation and review. These updates do not modify pyproject.toml or uv.lock and are handled entirely by Dependabot.

Pull the pull request locally. Dependabot updates the uv.lock file but not pyproject.toml. This file must therefore be updated manually most of the time. For example, for a PR titled Bump ruff from 0.13.1 to 0.13.3 in the development-dependencies group:

gh pr checkout 436

Then update the pyproject.toml file to match the uv.lock file by running:

uv add --dev "ruff>=0.13.3"

Note

  • --dev specifies the development group.

  • For other groups such as documentation, use --group docs.

  • The main dependencies group does not require --dev or --group.

  • Use >= for flexible version ranges and == when pinning exact versions.

Commit and push the change:

git add .
git commit -m "GOATS-<ISSUE_NUMBER>: Update pyproject.toml."
git push

GitHub Actions automatically run when pyproject.toml changes, triggering the test suite via pytest. After all tests pass, the PR can be squash merged and linked to the corresponding Jira ticket.

Note

A Towncrier entry is not required for dependency updates.

Testing Locally

To verify dependency updates before pushing, install GOATS in editable mode with development dependencies:

uv pip install -e . --dev

Run the full test suite to confirm that all functionality remains stable:

pytest

Note

Local execution should always be tested after updating major dependencies such as django, tomtoolkit, or dragons to confirm that no runtime or import errors occur prior to merging.