Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-evaluate whether we should bundle linters for native helpers into the code #6908

Open
1 task done
jeffwidman opened this issue Mar 24, 2023 · 0 comments
Open
1 task done
Labels
build 🛠 Relates to building and releasing Dependabot core 🍏 Relates to the dependabot-core library itself T: tech-debt ⚙️

Comments

@jeffwidman
Copy link
Member

jeffwidman commented Mar 24, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Code improvement description

❓ We get regular :dependabot: bumps of the linters/static code analyzers used in native helpers like eslint, phpstan, etc, and even though it's relatively trivial to bump them, it doesn't add much value to do that week after week. A few options I see:

  1. keep doing it and eat the cost.... it's not much focused time, the more annoying part is the distraction of having to remember to @dependabot rebase the next one since we aren't as aggressive about rebasing anymore
  2. add merge-queue on dependabot-core... it's been helpful for this use case in an internal repo, for safety I only queue up one per ecosystem to avoid stepping on each other, but this would let us merge one-linter-per-ecosystem concurrently across multiple ecosystems
  3. wait for grouped-updates to land... this only solves a small part of this particular problem though
  4. migrate them one-by-one to using a GitHub action to handle linting... we actually used to do this (GitHub Action: Add Python flake8 linting #2892), and then switched to embedding (breadcrumbs in CI: Simplify workflow by moving suite specific tests into test script #3430)... but embedding isn't necessarily needed now that many editors such as VS Code and others allow quickly installing language-specific plugins like linters...
  5. migrate them en-masse to using https://github.com/oxsecurity/megalinter... again a CI thing, but keeps some complexity down because it "Just works" on all the native helpers, w/o us having to configure them... eg, we need to add yamllint (Run yamllint on PR's #5572) and haven't gotten to it, this would let us pick that up for free

One tricky bit is illustrated by #6830. Some linters will need to be run against a matrix of runtime versions.

Thoughts?

@jeffwidman jeffwidman added T: tech-debt ⚙️ core 🍏 Relates to the dependabot-core library itself build 🛠 Relates to building and releasing Dependabot labels Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build 🛠 Relates to building and releasing Dependabot core 🍏 Relates to the dependabot-core library itself T: tech-debt ⚙️
Projects
None yet
Development

No branches or pull requests

1 participant