Most of the configuration is done in the .pyup.yml config file. If you are looking for configuration on a per dependency basis, take a look at filter.
The most common settings are to control updates, to change the default branch and to add labels to PRs but there is a wide range of other settings available.
To change the default configuration, create a new file called .pyup.yml (note the
leading .) in the root directory of your repository.
Example
# configure updates globally
# default: all
# allowed: all, insecure, False
update: all
# configure dependency pinning globally
# default: True
# allowed: True, False
pin: True
# set the default branch
# default: empty, the default branch on GitHub
branch: dev
# update schedule
# default: empty
# allowed: "every day", "every week", ..
schedule: "every day"
# search for requirement files
# default: True
# allowed: True, False
search: True
# Specify requirement files by hand, default is empty
# default: empty
# allowed: list
requirements:
- requirements/staging.txt:
# update all dependencies and pin them
update: all
pin: True
- requirements/dev.txt:
# don't update dependencies, use global 'pin' default
update: False
- requirements/prod.txt:
# update insecure only, pin all
update: insecure
pin: True
# add a label to pull requests, default is not set
# requires private repo permissions, even on public repos
# default: empty
label_prs: update
# assign users to pull requests, default is not set
# requires private repo permissions, even on public repos
# default: empty
assignees:
- carl
- carlsen
# configure the branch prefix the bot is using
# default: pyup-
branch_prefix: pyup/
# set a global prefix for PRs
# default: empty
pr_prefix: "Bug #12345"
# allow to close stale PRs
# default: True
close_prs: True
Updates
The bots default setting is to update all dependencies as soon as there's a new release available.
There are quite a few use cases and workflows where this is not the desired behavior.
Maybe you have a large legacy codebase and you are only interested in security fixes, or If
you are working on a library you maybe don't even care about automated updates and just want to
have a nice UI for your dependencies. This is what the update directive is for.
To control what the bot updates on a global level, set the update directive:
update: allIf you just want to receive security updates:
update: insecureOr, if you don't want to receive any updates at all:
update: FalseIf you want to control this on a per file basis, please take a look at specifying files.
Branch
The bot uses GitHub's default branch to open new pull requests (usually master).
In order
to change the default branch, add the following line to your config file:
branch: dev
This will tell the bot to use the dev branch from now on.
Schedules
By default, the bot will open a Pull Request as soon as there's an update for one of your dependencies available. If this creates too much noise, you can tell the bot to hold back updates and bundle them in a single Pull Request on a daily, weekly, biweekly or monthly basis.
Additionally, for weekly and biweekly updates, you can pick a weekday.
Daily
schedule: "every day"
Weekly
schedule: "every week"
schedule: "every week on thursday"
Biweekly
schedule: "every two weeks"
schedule: "every two weeks on monday"
Monthly
schedule: "every month"Dependency pinning
The bot pins dependencies without version specifiers to the latest version by default. This
means that unpinned dependencies like requests
become requests==1.2.3.
This makes your build predictable and deterministic across environments and is good for end products.
If you don't want the bot to pin your dependencies without version specifiers, add the following to your config file.
pin: False
You can also control this on a per file basis, check out specify files.
File search
By default, the bot will search the repository for requirement files to use. The search
function is fairly simple.
It looks for .txt and .pip files with requirements in
the file path.
This will match the most common locations like:
- requirements.txt
- requirements/local.txt
- requirements/dev.txt
If you want to disable the search function, add the following to your config file.
search: FalseTo get more fine-grained control about what requirement files are being picked up by the bot, look at specify files.
Specify files
Adding requirement files manually allows you to add files the bot might not find on its own
and to get fine grained control over the update and pin directive.
If you want to point the bot to a requirement file, simply add it to the
requirements list in
your config file:
requirements:
- foo/req.txt
This will pick up the requirement file in foo/req.txt.
To set the update directive per file:
requirements:
- requirements/staging.txt:
update: all
- requirements/dev.txt:
update: False
- requirements/prod.txt:
update: insecure
This will tell the bot to send pull requests for all updates in staging.txt,
security updates for production.txt and to send no pull requests from dev.txt.
It's also possible to set the pin directive per file:
requirements:
- requirements.txt
- requirements_dev.txt:
pin: False
This configuration will pin requirements.txt, but not
requirements_dev.txt.
Labels
*Please note: The bot needs the private repo scope to create the label. Even on public repos.*
The bot can label pull requests it creates automatically.
To enable it, add the following to your config file
label_prs: updateAssigning Users
*Please note: The bot needs the private repo scope in order to assign people to pull requests. Even on public repos.*
The bot can automatically assign people to pull requests it creates.
To enable it, add the following to your config file
assignees: carlIf you want the bot to assign multiple people:
assignees:
- carl
- carlsen
Change the default branch prefix
By default, the bot uses pyup- as a prefix for all branches it creates.
This can be changed by setting the branch_prefix in your config
file:
branch_prefix: pyup/Close stale PRs
The bot will close stale pull requests by default.
A stale pull request is an open pull request that has been superseded by a new one.
Example
- There is an open pull request to pin requests to
requests==1.3 - The requests package maintainers issue a new release
1.4 - The bot will create a new pull request to pin requests to
requests==1.4. The old (stale) pull request is closed and the bot will link to the new pull requests.
To disable it, add the following to your config file:
close_prs: FalseIf you have additional questions, please don't hesitate to contact support@pyup.io.