Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add automatic dependency updater #3516

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add automatic dependency updater #3516

wants to merge 1 commit into from
+35 −0

Conversation

anonrig
Copy link
Member

@anonrig anonrig commented Feb 11, 2025

Let's roll our own dependency updater

@anonrig anonrig requested a review from danlapid February 11, 2025 15:06
@anonrig anonrig requested review from a team as code owners February 11, 2025 15:06
@anonrig anonrig requested review from dom96 and fhanau February 11, 2025 15:06
@anonrig anonrig force-pushed the yagiz/add-dep-updater branch from 4c5107f to 37a781e Compare February 11, 2025 15:07
danlapid
danlapid reviewed Feb 11, 2025
View reviewed changes
.github/workflows/deps-updater.yml
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Update dependencies
run: build/deps/update-deps.py
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard to understand how that works but I would love to see separate PRs for each dependency, would be easier to deconflict.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically this will run the shell script, if there are any tracking changes, the next workflow step will execute and it will open a pull-request.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would love to see separate PRs for each dependency

This might be hard to implement since we might have to deduplicate the dependency list in this workflow file as well (to use in matrix)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use dependabot instead?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICT Dependabot doesn't execute custom scripts (build/deps/update-deps.py). We can use dependabot for package.json, but not for our update-deps related dependencies. I'll open another PR for adding dependabot for package.json

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've gotten dependabot PRs before, I think it's already set up in some capacity.

fhanau
fhanau reviewed Feb 11, 2025
View reviewed changes
.github/workflows/deps-updater.yml
contents: write
pull-requests: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Copy link
Collaborator

@fhanau fhanau Feb 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use tag @v4, which generally results in using the latest patch release in the 4.x series, as we currently do with various actions in the other workflows. (There are some concerns about specifying a tag as malicious actors could change the tag to point to a different commit as a supply chain attack but this is unlikely with a repo owned by GitHub itself.)

dom96
dom96 approved these changes Feb 17, 2025
View reviewed changes
Copy link
Collaborator

@dom96 dom96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it seems we cannot use dependabot for this, this looks good to me.

@danlapid
Copy link
Collaborator

Since it seems we cannot use dependabot for this, this looks good to me.

I've checked it out and it seems like we could with not too much work.

Renovate supports a dep updater called "asdf" that updater also supports custom plugins that need to output certain primitives such as list-deps list-dep-versions update-dep

We could easily make our updater script emit those outputs and write a plugin and use that with renovate.

The nice upside is we have full control over our deps logic while still enjoying renovate in both internal and external repos.

While not too difficult that's admittedly still a little project and we'll need to find some time to do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fhanau fhanau fhanau left review comments

@danlapid danlapid danlapid left review comments

@dom96 dom96 dom96 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anonrig @danlapid @dom96 @fhanau