-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgraded main and example Go dependencies pre 2.49-rc.0 #13255
Conversation
44341e9
to
2b43309
Compare
hmmmm
Disabled that update for now. |
2b43309
to
a9d44d9
Compare
This isn't really necessary anymore as we have dependabot that watches for Go updates. |
True, but we don't do a good job of merging/reviewing/addressing blockers on those dependabot PRs, so far. Anyway, was quicker for me to do one PR here than checking & fixing & rebasing 5+ dependabot PRs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am objecting to this change. I think we can do a better job of using dependabot for what it's good for.
Hm, so that blocks having latest minor versions for all our Go packages on new release, are you sure? I don't see how I can do it with dependabot at the moment (e.g. to include documentation go.mod). It periodically proposes PRs to upgrade some groups, plus it takes time to merge all groups one by one, wait for tests, rebase (every PR generate conflicts with go.mod) and repeat X times. Am I missing something? e.g. dependabot/dependabot-core#2980 ..even if there is some configuration to do, I don't have time to do it right now. What's the harm in upgrading in bulk while we wait for improved dependabot and us reconfiguring things for better state? 🤔 |
I think the right way to change the release process would be to make a PR changing https://github.com/prometheus/prometheus/blob/main/RELEASE.md#manually-updating-go-dependencies (I'm unclear how or if dependabot works, but ok to change the system given clear instructions) |
I think of dependabot as a tool helping the release shepherd. It's the release shepherd's call if they want to utilize it or not. AFAIK dependabot will simply close the PRs that aren't needed anymore because the dependency was updated manually. |
110688b
to
0acf544
Compare
Pre step for 2.49-rc.0 Added cmd for documentation module update due to https://github.com/prometheus/prometheus/security/dependabot/92 & other similar alerts. Signed-off-by: bwplotka <bwplotka@gmail.com>
0acf544
to
8eaad74
Compare
Pre step for 2.49-rc.0
Added cmd for documentation module update due to https://github.com/prometheus/prometheus/security/dependabot/92 & other similar alerts.