Update dependabot to use flutter pub get properly
#1643
Comments
|
@literalEval Btw if dependabot is too much of a problem, there's an alternative too, it's called renovate. It's has much more features I've heard. But dependabot integrated into github so using it is easy. |
|
@xoldyckk yeah that is the point. Dependabot comes prebuilt so our initial idea is to work it out. If it can not be made to work anyhow, then maybe we will think of other solutions. |
Renovate is more advanced I've heard, provides much more insights into changes, and it's more failproof. Check out this video to know more https://youtu.be/kW2yY4kSZhQ |
|
@xoldyckk I discussed with @palisadoes to remove dependabot and use some alternative. But he insisted on making dependabot work somehow. Maybe he had something in mind. |
Probably the ease of integration with github. |
|
|
Point 3 is great. Sure we can look into renovate. |
|
@palisadoes Sir, I'd like to get assigned to this issue. |
|
@literalEval Just wanted to let you know that the configuration for dependabot.yml for this repo was set up by me. I followed the official docs on it, but more atomic improvements could be made to the configuration according to your requirements. I just followed the most generic guide, because I'm not at all familiar with dart and flutter. |
|
@xoldyckk Dependabot was not working even after enforcing the flutter version.
I tried
I think we can implement this for now until the dependabot issues is fixed. As it only updates the |
|
@SiddheshKukade this is not a complete solution as the lock file must be updated with each update in pubpsec.yaml. |
|
Yes, it's not but currently the And also from the code of dependabot repo it should check the versions from the using |
|
I think we should go with Renovate. |
|
I don't have any knowledge about these automatic dependency managers, most of the times they'd work without needing much manual configuration. Mostly it needs to abide by the lock file so that it doesn't accidently update something which can break the system(though that itself depends on whether the packages used in the project themselves are following semantic versioning and stuff). I can't answer technical questions related to pub package manager ,its lock file and how dependabot works with it. I've never used dart/flutter. Though I've read the dart/flutter dependency management was recently made available with dependabot. So, there are bound to be problems with it I guess cuz it's just released a few months back. But yeah I've heard great things about renovate and most big organizations and projects on github I've seen use renovate instead of dependabot for this stuff. |
|
@SiddheshKukade We need a workable solution and the GitHub default isn't it. Please investigate the alternative. I don't want the mobile app to fall behind in updates |
@xoldyckk I was also thinking the same. 👍🏻
@palisadoes, Sure I'll let you know. |
|
Some updates from the dependabot/dependabot-core maintainers.
I think we should now wait to see @depedabot's further PRs in talawa to see if the issue got fixed or not. |
|
Sounds good to me. |
|
Will this be backward compatible with older versions of Dart? For example, the user could have the option of specifying the preferred version in YAML. A possibly better approach would be to auto detect the version of code. Is my question relevant in this context? |
|
@palisadoes everyone has the latest migrated version of Talawa codebase, so backward compatibility should not be a problem. Am I correct @SiddheshKukade ? |
Yes they've added backward compatibility in here with an
Yes |
@literalEval Yes, In the context of talawa app everyone uses the common version. Otherwise it won't work. |
|
@palisadoes Sir, can I work on other issues in the meantime until dependabot/dependabot-core#6454 gets merged? |
|
Will this be backward compatible with older versions of Dart? For example, the user could have the option of specifying the preferred version in YAML. A possibly better approach would be to auto detect the version of code. OK |
OK. Reference this issue in case you don't get assigned |
|
This issue did not get any activity in the past 10 days and will be closed in 365 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue. |
|
@SiddheshKukade what is the progress on this ? Why do we still need to manually bump package versions ? |
|
@literalEval the PR that fixes this is still not merged from Jan on the main dependabot repo. |
|
Hmm. That's sad. Can we do anything to get it merged ? |
|
dependabot/dependabot-core#6929 (comment) They merged this. It looks like it's fixed and just waiting to be pushed to the GitHub workflow |
|
dependabot/dependabot-core#6929 (comment) It's live. We can close this. |
Describe the bug
After our migration to Flutter 3.7.3, the new
pub getcommand addssha256hash of each plugin topubspec.lock. The problem is thatdependabotsomehow does not generate these hashes (this might mean that it is using an old version of flutter sdk ?), changingpubspec.lockentirely.This has some issues as
pubspec.lockas their version of the file hassha256hashes while thedependabotversion has not.pubspec.lockagain, which is not good because they will need to work with files they are not supposed to work with.pubspec.lock, then that's again an issue because then theflutter pub getin our workflow (which uses latest version of flutter) will complain aboutpubspec.lockbeing not in the format it expects.To fix
Find out the internals of
dependabotand which version ofDart SDKit uses and upgrade it to use the latest version.Important Links
The text was updated successfully, but these errors were encountered: