update PRs for java dependencies #14490
Comments
github-project-automation
bot
moved this to Open
in OpenSearch Lucene & Core Performance Tracking
|
I'm not actively working this yet, it is just for discussion. But if we can coerce the thing to work well with our project, I think it is beneficial. Better to have a failing PR, well-formatted, with release notes info, etc, to upgrade a dependency, than no PR at all? And managing completely manually? I do think it would be a little tricky to configure all the automation necessary to create "passing by default" PRs, that dont require additional commits by developers, to be merged. It is more than just regenerating lockfile and licenses/shas, it is also regenerate tasks! |
|
I think the "gradle convention" is to keep libs.version.toml under gradle/ and I think it's what dependabot understands - and I personally hate this, without any specific objective reason... Moving it is easy but, to me, it hides the source of dependencies from its prominent top-level location. See this commit: dweiss@8b99dab If you feel it's ok, feel free to cherry pick it to main. |
|
@dweiss mainly I am curious if we can see the new dependencies under https://github.com/apache/lucene/network/dependencies I don't know how to test this (i think it only evals default branch). But as you can see, several capabilities such as security alerts, SBOM generation, etc would all suddenly work. Separately we can configure the dependabot for that ecosystem, if we can get it to be recognized. Not sure where the file has to be for that, maybe the root is ok? |
|
Let me take a look on my fork. |
|
Thanks for hacking at this one, I appreciate it! |
|
Can't see the dependencies in gradle ecosystem here, perhaps yet: The location of the libs.gradle.toml is I think fixed to gradle/, regardless of the directory setting. |
|
I don't think the dependency graph supports gradle out of the box - they recommend using an action and submitting the graph from there. Looks like this: https://github.com/dweiss/lucene/network/dependencies?q=ecosystem%3AMaven |
|
The documentation for dependency submission action is here: it is verbose. I'm not sure we need to use this though - maybe just the dependabot scan is enough? |
|
Ok, so I think that:
Do we want to start by moving the catalog and adding dependabot first? |
|
Here is why I think adding dependency graph will require some filtering - these reports very likely originate from gradle plugins somewhere. It's hard to even track them down: |
|
Is the catalog treated separately than the ordinary java library deps (e.g. commons-whatever)? Ideally we bring all the deps into automation, but for this issue I figured the java library deps would be more than plenty of a challenge! |
for me that is an HTTP-404 unfortunately. |
|
I see your point: I see it from your fork at the expected place that requires no special permissions: https://github.com/dweiss/lucene/network/dependencies?q=ecosystem%3AMaven I dont know what this "Github Dependency Graph Gradle Plugin" is doing at all. Maybe need to look more into the dependabot-core to see what it is doing. I thought I had the filenames correct. Seems to me, this one is dragging in transitives as directs. |
|
and just my high-level suggestion: we don't want to be in that business whatsoever (managing transitive dependencies with explicit versions), or it is a bad place for update automation. this is the package manager's job to find you the one that meets all constraints. best to just manage the top-level direct dependencies with PRs. and regenerate lockfiles with these PRs. |
I think it's computing a dependency graph inside gradle, then submitting it to github via their API. This is kind of what we do in versions.lock but we restrict the configurations involved. It's too complicated to me. I think just the dependabot section + moving the catalog will be sufficient to get update PRs. It's simpler and should work as a start. |
|
This is I think the least invasive change: |
…ncies (#14495) * Move version catalog to gradle/libs.versions.toml. #14490 * Add dependabot for gradle deps. * Trying again. * Submit gradle dependencies using submission api. * Revert "Submit gradle dependencies using submission api." This reverts commit e529334. * Update .github/dependabot.yml Co-authored-by: Robert Muir <rcmuir@gmail.com> --------- Co-authored-by: Robert Muir <rcmuir@gmail.com>
|
I've merged this on main. Let's see what happens. |
…ncies (apache#14495) * Move version catalog to gradle/libs.versions.toml. apache#14490 * Add dependabot for gradle deps. * Trying again. * Submit gradle dependencies using submission api. * Revert "Submit gradle dependencies using submission api." This reverts commit e529334. * Update .github/dependabot.yml Co-authored-by: Robert Muir <rcmuir@gmail.com> --------- Co-authored-by: Robert Muir <rcmuir@gmail.com>
Description
I added dependabot.yml in #14462
Currently it sends us pull requests for:
dev-tools/But nothing yet for java dependencies. I think it might be enough to rename
versions.tomltolibs.versions.tomlto get (build-failing) pull requests? From the docs I have read, the filename is not configurable.If the filename is not so important, it would be nice to rename it, just so that github "understands" our dependency tree and allows for features around that (such as security ones).
In order to make PRs nice, where they stand a chance to pass, it would be more work. Seems the recommended way is to integrate with actions in order to run the "post upgrade commands" and issue a commit with them. (#14506
Alternatively we could do renovatebot, but we don't have many dependencies and our needs are simple, so it would be cool if we could have dependabot fully working for us.
The text was updated successfully, but these errors were encountered: