Dancing with dependabot
In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am overhauling the `log4j-tools` project. I have done something, if I may say, A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: https://github.com/apache/logging-log4j-tools/pull/5 What is exactly happening in this PR? dependabot creates a PR for a dependency update, CI executes the tests, tests succeed, CI merges the PR, and publishes the built SNAPSHOT artifact. No more manual dependency updates!
Re: Dancing with dependabot
That's cool! How is that set up? Gary On Fri, Dec 2, 2022 at 8:11 AM Volkan Yazıcı wrote: > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > overhauling the `log4j-tools` project. I have done something, if I may say, > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > https://github.com/apache/logging-log4j-tools/pull/5 > > What is exactly happening in this PR? dependabot creates a PR for a > dependency update, CI executes the tests, tests succeed, CI merges the PR, > and publishes the built SNAPSHOT artifact. No more manual dependency > updates!
Re: Dancing with dependabot
I would be OK with this so long as it only applies to minor version bumps. Upgrading major versions should still require human eyeballs. Ralph > On Dec 2, 2022, at 6:17 AM, Gary Gregory wrote: > > That's cool! How is that set up? > > Gary > > On Fri, Dec 2, 2022 at 8:11 AM Volkan Yazıcı wrote: >> >> In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am >> overhauling the `log4j-tools` project. I have done something, if I may say, >> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: >> https://github.com/apache/logging-log4j-tools/pull/5 >> >> What is exactly happening in this PR? dependabot creates a PR for a >> dependency update, CI executes the tests, tests succeed, CI merges the PR, >> and publishes the built SNAPSHOT artifact. No more manual dependency >> updates!
Re: Dancing with dependabot
This definitely looks like an interesting idea! Minor updates should patch fairly painlessly, and we can form a list of dependencies over time that shouldn’t auto-update. > On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı wrote: > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > overhauling the `log4j-tools` project. I have done something, if I may say, > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > https://github.com/apache/logging-log4j-tools/pull/5 > > What is exactly happening in this PR? dependabot creates a PR for a > dependency update, CI executes the tests, tests succeed, CI merges the PR, > and publishes the built SNAPSHOT artifact. No more manual dependency > updates!
Re: Dancing with dependabot
One other thing. We have gotten in the habit of creating an “umbrella” Jira issue to capture dependency changes within a release. We need to ensure whatever is committed by Dependabot is also captured. Ralph > On Dec 2, 2022, at 10:05 AM, Matt Sicker wrote: > > This definitely looks like an interesting idea! Minor updates should patch > fairly painlessly, and we can form a list of dependencies over time that > shouldn’t auto-update. > >> On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı wrote: >> >> In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am >> overhauling the `log4j-tools` project. I have done something, if I may say, >> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: >> https://github.com/apache/logging-log4j-tools/pull/5 >> >> What is exactly happening in this PR? dependabot creates a PR for a >> dependency update, CI executes the tests, tests succeed, CI merges the PR, >> and publishes the built SNAPSHOT artifact. No more manual dependency >> updates! >
Re: Dancing with dependabot
Via GitHub Actions: https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml#L71 On Fri, Dec 2, 2022 at 2:17 PM Gary Gregory wrote: > That's cool! How is that set up? > > Gary > > On Fri, Dec 2, 2022 at 8:11 AM Volkan Yazıcı wrote: > > > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > > overhauling the `log4j-tools` project. I have done something, if I may > say, > > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > > https://github.com/apache/logging-log4j-tools/pull/5 > > > > What is exactly happening in this PR? dependabot creates a PR for a > > dependency update, CI executes the tests, tests succeed, CI merges the > PR, > > and publishes the built SNAPSHOT artifact. No more manual dependency > > updates! >
Re: Dancing with dependabot
`dependabot.yml` can be configured to ignore/accept certain type of updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file GitHub Actions workflow (`build.yml`) can be adapted to add/update a file along with the version update. On Fri, Dec 2, 2022 at 6:19 PM Ralph Goers wrote: > One other thing. We have gotten in the habit of creating an “umbrella” > Jira issue to capture dependency changes within a release. We need to > ensure whatever is committed by Dependabot is also captured. > > Ralph > > > On Dec 2, 2022, at 10:05 AM, Matt Sicker wrote: > > > > This definitely looks like an interesting idea! Minor updates should > patch fairly painlessly, and we can form a list of dependencies over time > that shouldn’t auto-update. > > > >> On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı wrote: > >> > >> In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > >> overhauling the `log4j-tools` project. I have done something, if I may > say, > >> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > >> https://github.com/apache/logging-log4j-tools/pull/5 > >> > >> What is exactly happening in this PR? dependabot creates a PR for a > >> dependency update, CI executes the tests, tests succeed, CI merges the > PR, > >> and publishes the built SNAPSHOT artifact. No more manual dependency > >> updates! > > > >
Re: Dancing with dependabot
Very cool, I wonder how GH knows not to merge if any build in the PR failed. Gary On Fri, Dec 2, 2022, 13:43 Volkan Yazıcı wrote: > Via GitHub Actions: > > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml#L71 > > On Fri, Dec 2, 2022 at 2:17 PM Gary Gregory > wrote: > > > That's cool! How is that set up? > > > > Gary > > > > On Fri, Dec 2, 2022 at 8:11 AM Volkan Yazıcı wrote: > > > > > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > > > overhauling the `log4j-tools` project. I have done something, if I may > > say, > > > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some > point: > > > https://github.com/apache/logging-log4j-tools/pull/5 > > > > > > What is exactly happening in this PR? dependabot creates a PR for a > > > dependency update, CI executes the tests, tests succeed, CI merges the > > PR, > > > and publishes the built SNAPSHOT artifact. No more manual dependency > > > updates! > > >
Re: Dancing with dependabot
GH doesn't do anything by default. We only merge `dependabot` PRs in a "step" that is only executed if the "build" step passes. On Fri, Dec 2, 2022 at 8:33 PM Gary Gregory wrote: > Very cool, I wonder how GH knows not to merge if any build in the PR > failed. > > Gary > > On Fri, Dec 2, 2022, 13:43 Volkan Yazıcı wrote: > > > Via GitHub Actions: > > > > > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml#L71 > > > > On Fri, Dec 2, 2022 at 2:17 PM Gary Gregory > > wrote: > > > > > That's cool! How is that set up? > > > > > > Gary > > > > > > On Fri, Dec 2, 2022 at 8:11 AM Volkan Yazıcı wrote: > > > > > > > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I > am > > > > overhauling the `log4j-tools` project. I have done something, if I > may > > > say, > > > > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some > > point: > > > > https://github.com/apache/logging-log4j-tools/pull/5 > > > > > > > > What is exactly happening in this PR? dependabot creates a PR for a > > > > dependency update, CI executes the tests, tests succeed, CI merges > the > > > PR, > > > > and publishes the built SNAPSHOT artifact. No more manual dependency > > > > updates! > > > > > >
