Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JSPWIKI-1135] - Add dependabot config file #15

Merged
merged 1 commit into from
Dec 23, 2020
Merged

[JSPWIKI-1135] - Add dependabot config file #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

version: 2
updates:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @arturobernalg , thanks for the PR! A couple of questions / comments:

  • would you mind including some exclusions for servlet-api, jsp-api and tomcat required dependencies? More precisely, it would be great if we could get notified about patch releases on those dependencies, but not on minor or major
  • how does dependabot behave with versions not following semantic versioning? For instance, slf4j should stay on 1.7.30 and not be upgraded to latest 2.0.0-alpha1.

thanks + br,
juan pablo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mmmm
no clue. I'm gonna check if we can configure the bot to achieve what you asking.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

according to dependabot documentation version's ranges can be excluded, so the file should have at least the following exclusions

  • javax.servlet:javax.servlet-api should exclude the range [3.2.0,)
  • javax.servlet.jsp:javax.servlet.jsp-api should exclude the range [2.4.0,)
  • org.apache.tomcat:* should exclude the range [10.0.0,)
    • we use only a couple of embed dependencies on the portable module, but using a wildcard seems safer on the long run
  • org.slf4j:* should exclude the range [1.8.0-beta1,2.0.0)
    • the range comes from a bit of a search on central + checking version ordering (cfr. with last section of the article)
  • last, according to the documentation, the Dockerfile could/would also be checked for newer versions. In this case, I think it would be safe to just ignore it.

best regards,
juan pablo

Copy link
Member Author

@arturobernalg arturobernalg Dec 20, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. Woking on it.

c197a2f

change to draft

Thanks JP,

Copy link
Member Author

@arturobernalg arturobernalg Dec 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @juanpablo-santos

At the moment thinks are fallows:

version: 2
updates:

  • package-ecosystem: "maven"
    directory: "/"
    schedule:
    interval: "daily"
  • package-ecosystem: "github-actions"
    directory: "/"
    schedule:
    interval: "daily"
    ignore:
    • dependency-name: javax.servlet:javax.servlet-api
      versions: [3.2.0,)
    • dependency-name: javax.servlet.jsp:javax.servlet.jsp-api
      versions: [2.4.0,)
    • dependency-name: org.apache.tomcat:*
      versions: [10.0.0,)
    • dependency-name: org.slf4j:*
      versions: [1.8.0-beta1,2.0.0)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @juanpablo-santos JP. No idea of how ignore DockerFile

Copy link
Contributor

@juanpablo-santos juanpablo-santos Dec 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just not specifying a docker package-ecosystem section should be enough. What I tried to mean on my previous comment is that we could also check for it, but it is not necessary, as the Dockerfile is currently fixed for Apache Tomcat 9.0 versions.

As for the ignored dependencies/versions, they should go under the maven package ecosystem, the github-actions one should be deleted, as we're not currently using them. Somehow I missed this on the initial review..

thx,
juan pablo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mmmm.. so.... do I have to do anything else?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the github-actions section and place the exclusions under the maven package-ecosystem one. Also, in this case, and if possible, squash the commits into one, so the commit history gets clearer, and we don't lose the commit authorship.

best regards,
juan pablo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done and squash

- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: javax.servlet:javax.servlet-api
versions: [3.2.0,)
- dependency-name: javax.servlet.jsp:javax.servlet.jsp-api
versions: [2.4.0,)
- dependency-name: org.apache.tomcat:*
versions: [10.0.0,)
- dependency-name: org.slf4j:*
versions: [1.8.0-beta1,2.0.0)

2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/auth/authorize/Group.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public class Group {
* Protected constructor to prevent direct instantiation except by other
* package members. Callers should use
* {@link GroupManager#parseGroup(String, String, boolean)} or
* {@link GroupManager#parseGroup(org.apache.wiki.WikiContext, boolean)}.
* {@link GroupManager#parseGroup(org.apache.wiki.api.core.Context, boolean)}.
* instead.
* @param name the name of the group
* @param wiki the wiki the group belongs to
Expand Down
2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/auth/login/WikiCallbackHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Licensed to the Apache Software Foundation (ASF) under one

/**
* Handles logins made from inside the wiki application, rather than via the web container. This handler is instantiated in
* {@link org.apache.wiki.auth.AuthenticationManager#login(org.apache.wiki.WikiSession,HttpServletRequest, String, String)}.
* {@link org.apache.wiki.auth.AuthenticationManager#login(org.apache.wiki.api.core.Session,HttpServletRequest, String, String)}.
* If container-managed authentication is used, the {@link WebContainerCallbackHandler}is used instead. This callback handler is
* designed to be used with {@link UserDatabaseLoginModule}.
*
Expand Down
2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/auth/permissions/GroupPermission.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,7 @@ else if ( action.equalsIgnoreCase( DELETE_ACTION ) )
* </table>
* <p>
* Note that JSPWiki&#8217;s access control checks are made inside of
* {@link org.apache.wiki.auth.AuthorizationManager#checkPermission(org.apache.wiki.WikiSession, Permission)},
* {@link org.apache.wiki.auth.AuthorizationManager#checkPermission(org.apache.wiki.api.core.Session, Permission)},
* which performs a <code>Subject.doAs()</code> call. Thus, this
* Permission functions exactly the way it should during normal
* operations.
Expand Down
1 change: 0 additions & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/tags/SetPaginationTag.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,6 @@ public int doWikiStartTag()
*
* @param sb : stringbuilder to write output to
* @param page : start of page block
* @param onclick : link text
*
**/
private void appendLink(final StringBuilder sb, final int page, final String fmttextkey )
Expand Down
2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/ui/admin/beans/ModuleBean.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ protected Element containerForModuleDetail( final Element root ) {
}

/**
* Obtains the collection of modules which is going to be inspected at {@link #doGet(WikiContext)}.
* Obtains the collection of modules which is going to be inspected at {@link #doGet(Context)}.
*
* @return a collection of {@link WikiModuleInfo}
*/
Expand Down
2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/workflow/Task.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Licensed to the Apache Software Foundation (ASF) under one

/**
* AbstractStep subclass that executes instructions, uninterrupted, and results in an Outcome. Concrete classes only need to implement
* {@link Task#execute()}. When the execution step completes, <code>execute</code> must return {@link Outcome#STEP_COMPLETE},
* {@link Task#execute(org.apache.wiki.api.core.Context)}. When the execution step completes, <code>execute</code> must return {@link Outcome#STEP_COMPLETE},
* {@link Outcome#STEP_CONTINUE} or {@link Outcome#STEP_ABORT}. Subclasses can add any errors by calling the helper method
* {@link AbstractStep#addError(String)}. The execute method should <em>generally</em> capture and add errors to the error list instead of
* throwing a WikiException.
Expand Down
2 changes: 1 addition & 1 deletion jspwiki-main/src/main/java/org/apache/wiki/workflow/Workflow.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Licensed to the Apache Software Foundation (ASF) under one
* IllegalStateException. Callers can place the Workflow into the WAITING state by calling {@link #waitstate()}.</li>
* <li><strong>{@link #WAITING}</strong>: when the Workflow has temporarily paused, for example because of a pending Decision. Once the
* responsible actor decides what to do, the caller can change the Workflow back to the RUNNING state by calling the {@link #restart(Context)}
* method (this is done automatically by the Decision class, for instance, when the {@link Decision#decide(Outcome)} method is invoked)</li>
* method (this is done automatically by the Decision class, for instance, when the {@link Decision#decide(Outcome, Context)} method is invoked)</li>
* <li><strong>{@link #COMPLETED}</strong>: after the Workflow has finished processing all Steps, without errors.</li>
* <li><strong>{@link #ABORTED}</strong>: if a Step has elected to abort the Workflow.</li>
* </ul>
Expand Down