SORMAS-Project icon indicating copy to clipboard operation
SORMAS-Project copied to clipboard
verified publisher icon SORMAS-Foundation

[#7507] add dependabot config

Open JonasCir opened this issue 4 years ago • 5 comments

Fixes #7507 Take a look at my private fork's PR queue: The amount of PR this bot creates is manageable.

JonasCir avatar Dec 13 '21 15:12 JonasCir

@JonasCir Also requested a review from @StefanKock

MateStrysewske avatar Dec 14 '21 09:12 MateStrysewske

Hi thanks for the remarks!

  1. Dependabot does not duplicate updates and understands our structure. I admit Maven is a little bit of a misnomer. Read here: " Dependabot doesn't run Maven but supports updates to pom.xml files". So all the paths in the file explicitly point the bot to our poms, it really does no harm.
  2. True but it has a pom in the directory, see 1. It does no harm. Gradle support will need some minor refactoring which I can't do right now, will be enabled later.
  3. True, removed it temporarily until I get gradle to work later.

The bot will only provide the PRs for us to merge. I think that getting away from manually tracking dependencies to an more automated approach is highly beneficial.

Also the following and more can be configured: commit message, source branch, reviewers, labels, etc see here. Let me now if you want to have something specific here.

JonasCir avatar Dec 14 '21 13:12 JonasCir

Well for start: Changing anything on the software shall be documented in ticket, and the commit has to be linked to the ticket. How does this come into this automation approach.

StefanKock avatar Dec 14 '21 15:12 StefanKock

Your right, this makes perfectly sense for humans, but I think it is fine to make an exception for a bot which does nothing else than, well, provide PRs which bumps a version number in a POM with an already clear and distinct commit message.

Referencing a tracking issue from the bot would just repeatedly fill the tracking issue with related commits. I don't see how looking at an ever extending and overflowing issue helps anyone. Also leaving the issue number out for the automatic commits would clearly highlight which parts of the pom were modified by humans if you inspect the git history.

In case we really want to introduce this, you can check out this link from my fork which contains commits that adhere to the scheme you asked for :rocket:. Turns out dependabot is quite flexible and it also will receive new features in the future which are likely to contribute even more to a healthy, stable, and secure product. We should not miss out on such fundamental feature.

JonasCir avatar Dec 15 '21 09:12 JonasCir

If there are further concerns, I'm happy to discuss them tomorrow in our meeting.

JonasCir avatar Dec 15 '21 09:12 JonasCir

Branch is broken I start from scratch.

JonasCir avatar Mar 17 '23 15:03 JonasCir