cli-table3 icon indicating copy to clipboard operation
cli-table3 copied to clipboard
verified publisher icon cli-table

Refine dependabot workflow

Open speedytwenty opened this issue 3 years ago • 0 comments

Presently, the open Pull requests for cli-table3 are polluted with dependabot PRs that presumably could/should be auto-merging (upon passing CI tests). It looks like this may date back to the migration from dependabot-preview (see #216 and dependaot preview's history).

For longevity, cli-table3 should focus dependabot on it's pertinent dependencies* and minimize dependabot's interference with devDependencies as best as possible.

* cli-table3 has only one production dependency (string-width), one optional dependency (@colors/colors), and one dev dependency (cli-table) whose version is relevant.

cli-table3 (this module) presently offers "backwards" compatibility with cli-table—and includes tests to prove it. Yet, these interfacing tests are more accurately "continuous" (see #196 & #283) while the devDependency on cli-table is not fixed to a specific version in package.json.

Because cli-table3 relies upon cli-table within it's tests and only within it's tests, there is a question: Which versions of cli-table are intended to be supported by cli-table3? If true backward-compatibility is intended, as seems to be the intention demonstrated, we could/should lock on a version and call it true. But presently, it's not backward (locked), it's continuous. This is relevant, I think, to get dependabot honed appropriately.

Despite activity or not on cli-table, I don't think the intention with cli-table3 is nor ever was to keep up with API changes that might occur to cli-table in the future. It would be possible to support both "true backward" and "continuous"—but testing advancements to cli-table would merely be testing breaking API changes to cli-table and not cli-table3.

To keep it simple here, we'll just lock cli-table to a specific version.

With that in mind, it seems like the following would be ideal for leveraging dependabot:

(Prod) Dependencies

"Dependencies" is presently singular; cli-table3 relies only on: string-width

  • [ ] dependabot auto-merges minor and patch releases
  • [ ] dependabot creates pr requiring manual merge for major releases [until told otherwise]

These should be demonstrable by: dependabot automatically raising string-width to the latest 4.x version and creating a pr for the 5.x version.

Dev Dependencies

  • [ ] Lock cli-table to specific version in package.json
  • [ ] dependabot ignores major releases and cli-table
  • [ ] dependabot auto-merges minor and patch releases (pending CI tests)

These should be demonstrable by:

  • dependabot not creating PRs for major releases (presently: eslint-config-prettier, eslint-plugin-prettier, etc.)
  • dependabot auto-merging devDependences for minor and patch releases.

Summary

The end results here should be:

  • Minor and Patch updates for all dependencies automatically processed by dependabot.
  • Pull-requests free of dependabot PRs—except major releases to string-width.
  • Locking of cli-table and dependabot ignoring it completely.

speedytwenty avatar Mar 30 '22 05:03 speedytwenty