Use 3rd party service like dependabot to keep up with vendored libs

[sylr]

I was wondering if prometheus could use a service like https://dependabot.com/ to help upgrade the vendored libs.

Dependabot is a github app which creates pull requests as soon as it detects that a lib used in the project has a new version released. It currently only updates the go.mod and go.sum files but does not update the vendor/ dir but I have made a script for another project which called by travis updates the PR with the changes in vendor/.

I know that Thanos is using this service. Maybe prometheus could do the same.

Thoughts ?

[beorn7]

Sounds to me like a good idea in general, especially with the expected wider adoption of go modules.

@simonpasquier you might have the most qualified opinion about this.

[simonpasquier]

The idea is interesting. I had a quick look and tried to use it on my forks of prometheus and alertmanager but it complains that it can't parse the go.mod file. The level of authorization requested by dependabot is also quite high:

@sylr I guess that dependabot-travis.sh is the custom script you're mentioning in the original description?

[sylr]

@simonpasquier Yes it is.

[hmarr]

I'm one of the folks building Dependabot. We'd love to help out in any way we can, so please feel free to ping me if you have any questions 🙂

The go.mod issue is now fixed. Thanks @simonpasquier for raising it.

We also plan to add vendoring support in due course. In the meantime, a CI script or GitHub Actions (if you have access) is a good solution - several of our users are doing something similar.