Hi Volkan,
On 13.05.2025 11:06, Volkan Yazıcı wrote:
> Thanks for chasing this Piotr. Given the recently stagnating Log4j
> maintainer time, the workflow of verifying dependabot PRs, adding
> associated changelog entries, and automatically merging upon success was a
> big time saver
Thanks for chasing this Piotr. Given the recently stagnating Log4j
maintainer time, the workflow of verifying dependabot PRs, adding
associated changelog entries, and automatically merging upon success was a
big time saver for us. I'd really appreciate it if we can bring it back.
In GHA work
Hi all,
As expected, the introduction of required reviews and required checks
has made our "automatically merge Dependabot PRs" workflow less
automatic. Currently, for each Dependabot PR:
* The commit that adds a changelog entry does not trigger the build
workflow and therefore
Two problems:
1. Email subjects are wrong again.
2. Robot emails not being sent to robots mailing list.
> On Feb 27, 2023, at 4:07 PM, github-...@apache.org wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> github-bot pushed a change to branc
>>> On Feb 16, 2023, at 12:14 PM, Matt Sicker wrote:
>>>
>>> My mail server doesn’t offer sophisticated enough filtering to properly
>>> filter out that sort of thing. For example, while I can set up a filter
>>> around Dependabot itself, that doesn’t handle a
em into threads properly:
> https://github.com/apache/plc4x/blob/develop/.asf.yaml
>
>> On Feb 16, 2023, at 12:14 PM, Matt Sicker wrote:
>>
>> My mail server doesn’t offer sophisticated enough filtering to properly
>> filter out that sort of thing. For example, whil
> My mail server doesn’t offer sophisticated enough filtering to properly
> filter out that sort of thing. For example, while I can set up a filter
> around Dependabot itself, that doesn’t handle all the automated emails in
> response to that such as a committer merging the update.
My mail server doesn’t offer sophisticated enough filtering to properly filter
out that sort of thing. For example, while I can set up a filter around
Dependabot itself, that doesn’t handle all the automated emails in response to
that such as a committer merging the update. And that’s besides
nymore because of the
> Dependabot flooding.
> —
> Matt Sicker
>
>> On Feb 6, 2023, at 11:35, Matt Sicker wrote:
>>
>> I don’t want to get rid of the bot; it’s very useful. I just don’t want its
>> notifications in my inbox, especially since they’re nearly impo
the
Dependabot flooding.
—
Matt Sicker
> On Feb 6, 2023, at 11:35, Matt Sicker wrote:
>
> I don’t want to get rid of the bot; it’s very useful. I just don’t want its
> notifications in my inbox, especially since they’re nearly impossible to
> filter without false positives (e.g
> On Mon, Feb 6, 2023 at 9:37 AM Piotr P. Karwasz
> wrote:
>
>> Hi Volkan,
>>
>> On Mon, 6 Feb 2023 at 08:55, Volkan Yazıcı wrote:
>>>
>>> You can configure dependabot to ignore certain major versions or update
>>> types
>>> <
>&
rrant work in a fork. But you
can decide this yourself.
On Mon, Feb 6, 2023 at 9:37 AM Piotr P. Karwasz
wrote:
> Hi Volkan,
>
> On Mon, 6 Feb 2023 at 08:55, Volkan Yazıcı wrote:
> >
> > You can configure dependabot to ignore certain major versions or update
> > typ
Hi Volkan,
On Mon, 6 Feb 2023 at 08:55, Volkan Yazıcı wrote:
>
> You can configure dependabot to ignore certain major versions or update
> types
> <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-
You can configure dependabot to ignore certain major versions or update
types
<https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore>
:
version: 2
updates:
- p
Hi Volkan,
On Sun, 5 Feb 2023 at 21:02, Volkan Yazıcı wrote:
> Let me also state that I don't have this problem in projects where
> dependabot PRs are merged automatically, e.g., `log4j-tools`. PR comes in,
> `verify` succeeds, PR gets merged, and I see this beautiful interaction
Agreeing with the dependabot's PR notification noise. Though I am not sure
if addressing this at the infrastructure is the right thing to do. So far I
am having a pleasant ride by extending my existing filtering with an extra
`dependabot[bot]` predicate on the subject.
Even though I a
I like to follow the notifications lists because that’s where I can see code
changes committed, PRs opened, issues opened, etc. However, Dependabot spam
makes it nearly impossible to find. There was a recent update to the .asf.yaml
config features that allow customizing where Dependabot shit
GH doesn't do anything by default.
We only merge `dependabot` PRs in a "step" that is only executed if the
"build" step passes.
On Fri, Dec 2, 2022 at 8:33 PM Gary Gregory wrote:
> Very cool, I wonder how GH knows not to merge if any build in the PR
> failed.
&
hauling the `log4j-tools` project. I have done something, if I may
> > say,
> > > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some
> point:
> > > https://github.com/apache/logging-log4j-tools/pull/5
> > >
> > > What is exactly happeni
`dependabot.yml` can be configured to ignore/accept certain type of
updates:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
GitHub Actions workflow (`build.yml`) can be adapted to add/update a file
along with the
g4j-tools/pull/5
> >
> > What is exactly happening in this PR? dependabot creates a PR for a
> > dependency update, CI executes the tests, tests succeed, CI merges the
> PR,
> > and publishes the built SNAPSHOT artifact. No more manual dependency
> > updates!
>
One other thing. We have gotten in the habit of creating an “umbrella” Jira
issue to capture dependency changes within a release. We need to ensure
whatever is committed by Dependabot is also captured.
Ralph
> On Dec 2, 2022, at 10:05 AM, Matt Sicker wrote:
>
> This definitely look
ugin`), I am
> overhauling the `log4j-tools` project. I have done something, if I may say,
> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point:
> https://github.com/apache/logging-log4j-tools/pull/5
>
> What is exactly happening in this PR? dependabot creates
gt; https://github.com/apache/logging-log4j-tools/pull/5
>>
>> What is exactly happening in this PR? dependabot creates a PR for a
>> dependency update, CI executes the tests, tests succeed, CI merges the PR,
>> and publishes the built SNAPSHOT artifact. No more manual dependency
>> updates!
ike to repeat for Log4j too at some point:
> https://github.com/apache/logging-log4j-tools/pull/5
>
> What is exactly happening in this PR? dependabot creates a PR for a
> dependency update, CI executes the tests, tests succeed, CI merges the PR,
> and publishes the built SNAPSHOT art
happening in this PR? dependabot creates a PR for a
dependency update, CI executes the tests, tests succeed, CI merges the PR,
and publishes the built SNAPSHOT artifact. No more manual dependency
updates!
Seems like that fixed the issue. Carry on,, Dependabot!
—
Matt Sicker
> On Sep 25, 2022, at 11:12, Matt Sicker wrote:
>
> I tried disabling Jira propagation before via that file, though it still
> seems to be enabled. We have talked a little before about migrating to GitHub
>
Alright, I found the setting related to this and disabled it. Hopefully this
will address most of the Dependabot noise and make the tool useful again!
—
Matt Sicker
> On Sep 23, 2022, at 18:46, Matt Sicker wrote:
>
> After secretary emails, emails related to Dependabot are the next mo
Just filed https://issues.apache.org/jira/browse/INFRA-23722
—
Matt Sicker
> On Sep 25, 2022, at 11:12, Matt Sicker wrote:
>
> I tried disabling Jira propagation before via that file, though it still
> seems to be enabled. We have talked a little before about migrating to GitHub
> Issues, th
I tried disabling Jira propagation before via that file, though it still seems
to be enabled. We have talked a little before about migrating to GitHub Issues,
though nothing concrete yet. Guess I’ll file an Infra ticket about the issue.
—
Matt Sicker
> On Sep 25, 2022, at 04:16, Vladimir Sitnik
Alternative options could be:
a) Divert GitBox notifications to a separate mailing list (e.g.
issues-gitbox@) which no one really subscribes.
The key issue with GitBox notifications is that it produces messages that
do not group by subject,
so 5 notifications on a single PR might look like 5 diffe
What filters did you set up? That might be a sufficient fix.
—
Matt Sicker
> On Sep 25, 2022, at 00:05, Ralph Goers wrote:
>
> Dependabot really doesn’t need to generate ANY emails. Every time it commits
> something to Github, including creating PRs, we already will get an email
Dependabot really doesn’t need to generate ANY emails. Every time it commits
something to Github, including creating PRs, we already will get an email for
that.
So the dependabot emails are just annoying noise. That is why I configured my
email server to discard them all last week.
Now
where one is
sufficient.
—
Matt Sicker
> On Sep 24, 2022, at 01:23, Gary Gregory wrote:
>
> Maybe this discussion should take place in a Dependabot ticket? We can't
> change it here ;-)
>
> Gary
>
>> On Fri, Sep 23, 2022, 22:39 Matt Sicker wrote:
>>
>
Maybe this discussion should take place in a Dependabot ticket? We can't
change it here ;-)
Gary
On Fri, Sep 23, 2022, 22:39 Matt Sicker wrote:
> The messenger only needs one email per update. I’m getting several for
> each one. I can’t even tell if humans are contributing anyth
shoot the messenger"? ;-)
>
> Dependabot is a great tool IMO.
>
> I think someone had proposed a different email address for bot emails that
> that obviously did not happen. Then there is classic "inbox rules" reply.
> Whomever wants to drive this can go ahead...
>
>
Have you ever heard the expression "Don't shoot the messenger"? ;-)
Dependabot is a great tool IMO.
I think someone had proposed a different email address for bot emails that
that obviously did not happen. Then there is classic "inbox rules" reply.
Whomever wants t
I haven't tried it, but if you go to your settings for Github you can
set dependabot to not notify you.
That doesn't affect the notifications@ list of course.
-Robert Middleton
On Fri, Sep 23, 2022 at 7:47 PM Matt Sicker wrote:
>
> After secretary emails, emails related to De
After secretary emails, emails related to Dependabot are the next most common
message in my mailbox. I’ve already had to clear out several gigs of emails,
and these Dependabot rebases and relentless updates are making it impossible to
follow anything on the mailing lists anymore.
Proposal: all
>
> On Mon, 27 Jun 2022 at 20:27, Ralph Goers wrote:
>> I ran mvn site and now the pdf plugin is failing. It seems no-one validated
>> that the build worked after the plugin was updated.
>
> That seems to be an old commit. Since then Volkan added a "Maven site&quo
t is run on each dependabot branch. E.g. this PR fails
now: https://github.com/apache/logging-log4j2/pull/840
Piotr
I reverted the plugin back to 1.2 and the site build works again.
Ralph
> On Jun 27, 2022, at 11:31 AM, Matt Sicker wrote:
>
> It’s why I don’t merge dependency updates for reporter plugins unless I can
> verify it still works. Some of these reporter plugins are tricky to configure
> properly
It’s why I don’t merge dependency updates for reporter plugins unless I can
verify it still works. Some of these reporter plugins are tricky to configure
properly.
—
Matt Sicker
> On Jun 27, 2022, at 13:27, Ralph Goers wrote:
>
> I ran mvn site and now the pdf plugin is failing. It seems no-
I ran mvn site and now the pdf plugin is failing. It seems no-one validated
that the build worked after the plugin was updated.
Ralph
We’d stop getting commit notifications for all the commits it makes in its own
branches. This is especially annoying when rebasing these PRs as they end up
pinging Jira tickets in the history, too.
—
Matt Sicker
> On May 30, 2022, at 03:23, Volkan Yazıcı wrote:
>
> Matt, mind elaborating a b
Matt, mind elaborating a bit on what exactly is the problem and how will a
fork fix that?
On Sat, May 28, 2022 at 2:27 AM Matt Sicker wrote:
> The fact that the bot uses branches in our repo rather than a fork of
> the repo causes a shitload of bot spam.
>
The fact that the bot uses branches in our repo rather than a fork of
the repo causes a shitload of bot spam.
Hi all,
Just FYI, I unsubscribed from GitHub updates for apache/logging-log4j2, I don’t
have bandwidth for the many notifications.
(Trying to reduce notifications from my life... 😅)
Probably best to @-mention me if there’s anything anyone wants some to look at.
Still subscribed to dev list and
If you are going to apply the PRs dependabot generates then you need to make
sure the appropriate checks are done. Dependabot upgraded the maven checkstyle
plugin. This plugin is used in the mvn site build, but I believe our builds
don’t normally run that so it looked like everything was ok
you
> work with a newer version either. But I am just not comfortable telling a
> user a) try it and see or b) we only support the versions included in the
> release.
>
>
>
> Ralph
>
>
>
> > On Sep 17, 2020, at 9:24 PM, Matt Sicker wrote:
>
> >
>
work with a newer version either. But I
am just not comfortable telling a user a) try it and see or b) we only support
the versions included in the release.
Ralph
> On Sep 17, 2020, at 9:24 PM, Matt Sicker wrote:
>
> I’ll say that we also use Dependabot and some custom bot at
I’ll say that we also use Dependabot and some custom bot at work for
dependency updates, and I’m one of the evangelists, but it’s to ensure that
things get security updates which would otherwise clog up the resources of
the limited number of engineers working on security in the first place. I
On Thu, Sep 17, 2020 at 8:49 PM Ralph Goers
wrote:
> I very much like all the emails due to dependabot. Furthermore, if it is
> going to create 25 PRs then it also needs to create Jira issues and include
> updates to changes.xml, otherwise it just creates a lot of work.
> Further
changes. I wouldn’t want to be too prescriptive because there are
always counter-examples.
At work we’ve used a custom robot similar to dependabot to constantly keep
dependencies up to date. This has worked well for us, but we require semver
compatibility to avoid friction when upgrades are taken
Thu, Sep 17, 2020 at 19:49 Ralph Goers
wrote:
> I very much like all the emails due to dependabot. Furthermore, if it is
> going to create 25 PRs then it also needs to create Jira issues and include
> updates to changes.xml, otherwise it just creates a lot of work.
> Furthermore, I hav
I very much like all the emails due to dependabot. Furthermore, if it is going
to create 25 PRs then it also needs to create Jira issues and include updates
to changes.xml, otherwise it just creates a lot of work. Furthermore, I have
never been in favor of updating dependencies versions without
Is this email supposed to be HTML? How can we enable that on the
notifications mailing list? We can get nice HTML reports from Jenkins and
GitHub Actions, too.
On Sun, Aug 23, 2020 at 23:02 GitBox wrote:
>
>
> dependabot[bot] opened a new pull request #406:
>
> URL: https://gi
To answer your earlier question, Ralph, it appears that Dependabot is
properly integrated with ASF infrastructure. Now to see what happens.
On Wed, 29 Jul 2020 at 14:29, wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> github-bot pushed a chan
gt;> That's fine with me. You will want to update changes.xml to track changes.
>>
>> Gary
>>
>> On Thu, Jul 2, 2020, 04:10 Volkan Yazıcı wrote:
>>
>>> Hello,
>>>
>>> 1. I will approve GitHub dependabot PRs that pass the CI tests.
>>> 2. I will (blindly?) cherry-pick them onto release-2.x.
>>>
>>> Objections?
>>>
>>> Kind regards.
>>>
>
a release isn't a great solution either.
>>
>> -ck
>>
>> On Thu, Jul 2, 2020, at 08:30, Gary Gregory wrote:
>>> That's fine with me. You will want to update changes.xml to track
>> changes.
>>>
>>> Gary
>>>
>>
> Gary
> >
> > On Thu, Jul 2, 2020, 04:10 Volkan Yazıcı
> wrote:
> >
> > > Hello,
> > >
> > > 1. I will approve GitHub dependabot PRs that pass the CI tests.
> > > 2. I will (blindly?) cherry-pick them onto release-2.x.
> > >
> > > Objections?
> > >
> > > Kind regards.
> > >
> >
>
7;s fine with me. You will want to update changes.xml to track changes.
>
> Gary
>
> On Thu, Jul 2, 2020, 04:10 Volkan Yazıcı wrote:
>
> > Hello,
> >
> > 1. I will approve GitHub dependabot PRs that pass the CI tests.
> > 2. I will (blindly?) cherry-pick them onto release-2.x.
> >
> > Objections?
> >
> > Kind regards.
> >
to ship a release isn't a
great solution either.
-ck
On Thu, Jul 2, 2020, at 08:30, Gary Gregory wrote:
> That's fine with me. You will want to update changes.xml to track changes.
>
> Gary
>
> On Thu, Jul 2, 2020, 04:10 Volkan Yazıcı wrote:
>
> > Hello,
> >
That's fine with me. You will want to update changes.xml to track changes.
Gary
On Thu, Jul 2, 2020, 04:10 Volkan Yazıcı wrote:
> Hello,
>
> 1. I will approve GitHub dependabot PRs that pass the CI tests.
> 2. I will (blindly?) cherry-pick them onto release-2.x.
>
&g
Hello,
1. I will approve GitHub dependabot PRs that pass the CI tests.
2. I will (blindly?) cherry-pick them onto release-2.x.
Objections?
Kind regards.
Merged.
On Tue, Jun 30, 2020 at 9:31 PM Volkan Yazıcı wrote:
>
> Hello,
>
> #368[1] requests to add dependabot support. I am inclined to merge it.
> Any objections?
>
> Kind regards.
>
> [1] https://github.com/apache/logging-log4j2/pull/368
gt;> On Tue, Jun 30, 2020, 15:31 Volkan Yazıcı wrote:
>>
>>> Hello,
>>>
>>> #368[1] requests to add dependabot support. I am inclined to merge it.
>>> Any objections?
>>>
>>> Kind regards.
>>>
>>> [1] https://github.com/apache/logging-log4j2/pull/368
>>>
>
>
>
> --
> Matt Sicker
>
I've been using that for a few repositories. Definitely handy.
On Tue, 30 Jun 2020 at 14:45, Gary Gregory wrote:
>
> Fine with me.
>
> Gary
>
> On Tue, Jun 30, 2020, 15:31 Volkan Yazıcı wrote:
>
> > Hello,
> >
> > #368[1] requests to add dependabot
Fine with me.
Gary
On Tue, Jun 30, 2020, 15:31 Volkan Yazıcı wrote:
> Hello,
>
> #368[1] requests to add dependabot support. I am inclined to merge it.
> Any objections?
>
> Kind regards.
>
> [1] https://github.com/apache/logging-log4j2/pull/368
>
Hello,
#368[1] requests to add dependabot support. I am inclined to merge it.
Any objections?
Kind regards.
[1] https://github.com/apache/logging-log4j2/pull/368
m supported version (typically
> >>> this
> >>>>>> would be expressed as a version range).
> >>>>>>
> >>>>>> I’m also concerned because some dependencies upgrade their minimum
> >>>>>> required
>>> used for
>>>>>> the release that specifies the minimum supported version (typically
>>> this
>>>>>> would be expressed as a version range).
>>>>>>
>>>>>> I’m also concerned because some dependencies upgrade th
e. That happened with the
> Flume
> > 1.8
> > > >> release. So we cannot upgrade to that version in the release-2.x
> > branch,
> > > >> although our users can if they want to. We also ran into a problem
> > with
> > > >> SLF4J. The l
th
> > >> SLF4J. The latest release dropped a class that we use. We have
> modified the
> > >> code to support the latest releases but we require the last release
> that
> > >> had the class to compile.
> > >>
> > >> Also, our process has always
; >> had the class to compile.
> >>
> >> Also, our process has always been to create a Jira for everything,
> >> including updating dependency versions, and including them in changes.xml.
> >> It looks like this tool doesn’t do either of these things.
eases but we require the last release that
>> had the class to compile.
>>
>> Also, our process has always been to create a Jira for everything,
>> including updating dependency versions, and including them in changes.xml.
>> It looks like this tool doesn’t do either of
t; Ralph
>
> > On Mar 25, 2019, at 9:24 AM, Matt Sicker wrote:
> >
> > Hi all,
> >
> > Various Jenkins projects have been using Dependabot [1] to
> > automatically make PRs to update dependencies. We could use this for
> > most of our components it looks like. What do you think about adopting
> > use of this bot?
> >
> > [1]: https://dependabot.com/
> >
> > --
> > Matt Sicker
> >
>
>
Various Jenkins projects have been using Dependabot [1] to
> automatically make PRs to update dependencies. We could use this for
> most of our components it looks like. What do you think about adopting
> use of this bot?
>
> [1]: https://dependabot.com/
>
> --
> Matt Sicker
>
Hi all,
Various Jenkins projects have been using Dependabot [1] to
automatically make PRs to update dependencies. We could use this for
most of our components it looks like. What do you think about adopting
use of this bot?
[1]: https://dependabot.com/
--
Matt Sicker
79 matches
Mail list logo
