Dependency update workflow discussion #640
Comments
|
Thanks for the elaborate plans, @morremeyer! I've just set up the Dependabot settings like you described, that all sounded good to me! The bank2ynab idea sounds great as well! We'd just have to make sure these updates don't break anything, especially when combined with automatic releasing, but with enough tests that should be doable. Would you be up for making a PR for this? Thanks again! |
|
Yes, I'll work on it when I get to it. |
|
Reminder to myself: re-read https://docs.renovatebot.com/noise-reduction for an update on the current state |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Edit 2023-05-12 8:37 UTC: Added section for automatic releasing
As discussed in #619 (comment), this issue serves to discuss the dependency update workflows for this project.
There's two things that need regular updating:
project dependencies
The project currently has both dependabot and renovate configured for dependency updates. I propose the following config going forward:
Dismiss low impact alertsWhile there are some transitive dependencies that in the
package.lockfile that dependabot will update while renovate currently does not update them, renovate will still update thepackage.lockfile with updates for direct dependencies, so it will also upgrade to transitive dependencies as needed.If there are transitive dependencies with security issues, dependabot's security alerts will catch them so that an update can be done manually.
For the renovate configuration in general, I think getting more things to be able to auto-update would be great. Mainly, building more tests. I can contribute them where I see things pop up. I am a big proponent of automating the pain away on my personal projects with the goal of auto-approving and auto-merging all non-major updates where possible. I can bring as much or as little of that spirit into here as you'd like to have, @leolabs 😁
bank2ynab
To update bank2ynab, we could update the bank2ynab script to point to a specific commit and implement a renovate configuration with the git-ref datasource, that updates that specific commit.
On changes to the script, we can then trigger a workflow that executes it and commits the changes to a PR. Ultimately, with tests that are deemed good enough, renovate could be configured to auto-merge these updates so that keeping bank2ynab up to date will become a zero effort thing.
You can check out a helm chart repository that I co-maintain for an example workflow that does a similar thing for a Kubernetes controller.
automatic releasing
This is something that I quite like, especially in combination with renovate. With proper configuration, in my opinion, automatic releasing makes it an easy process to release new fixes and features to users.
For that, I'd look into:
chore-scope commitfeat- andfix- scope commitsI suspect that this should be rather easy to automate with lerna already in place.
The text was updated successfully, but these errors were encountered: