Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use dependabot for linters dependencies #372

Merged
merged 15 commits into from
Jul 8, 2020
Merged

Use dependabot for linters dependencies #372

merged 15 commits into from
Jul 8, 2020

Conversation

GaboFDC
Copy link
Collaborator

@GaboFDC GaboFDC commented Jul 3, 2020

This fixes #201
I did a cleanup as good as I can, this is still a draft but only missing part is adding dependabot, that after #367 will only need to add npm and pyenv to the config, so I'll like feedback on the way this was done and any other comments.

About ruby, we need to fix #134 before we can start using the Gemfile properly as I stated in a comment there.

I also used what @nemchik suggested, of copy binaries from maintained docker images, for more clarity, and ease of "install"

@GaboFDC GaboFDC changed the title Gf dependencies Use dependabot for linters dependencies Jul 3, 2020
Copy link
Collaborator

@nemchik nemchik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like an amazing start to me!

Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved

[dev-packages]

[packages]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not have enough experience with dependabot to confirm it should keep versions in this file up to date, but ideally in any place where dependabot is capable of updating versions for us we should specify exact version numbers. This makes it easier for users in the future to track down the commit associated with a release and see specific versions of dependencies used.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From some tests, this is fine, as the locked version is on the .lock file.

So here we just say that there is no restriction in the version (like a minimum), and dependabot will correcly update the lock file when new releases are available

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If dependabot cannot update these then leaving * is fine, but if it can then my opinion is we should put the specific versions in here. Another benefit is that new versions for any versioned dependency will have to be approved by a human via a PR like this one https://github.com/github/super-linter/pull/381 which sounds like more human interaction but actually ends up meaning a build is triggered for each new version of the dependency, and so we end up with a lot more testing to keep things running smooth. I think dependabot might even be able to auto merge PRs with passing builds if it becomes a lot to manage, but then the ability to intentionally hold back a specific version is lost. Another reason for doing it in this file and not relying on the lock file is the lock file is a lot less human readable to basic end users. In this case it's pretty small, but in npm for example it is nearly pointless for a human to read the lock file with how complex it is.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, using the * does not forbid dependabot from working, it works just fine, see my test here
But you still prefer to keep the specific version on the normal file, right? If so, I'll put it with minimum the latest version we are using at the moment, does that seems fine?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome to see dependabot working in your testing! My only reason for still considering it being in this file is user readability. I don't think it's a sword worth dying on, so if keeping * is easier i'm fine with that.

@nemchik
Copy link
Collaborator

nemchik commented Jul 6, 2020

The only thing I think left in this PR to address is https://github.com/github/super-linter/pull/372#discussion_r449727037

Everything else here is looking really good!

@nemchik
Copy link
Collaborator

nemchik commented Jul 6, 2020

https://github.com/github/super-linter/pull/367 merged and seems to have created a conflict. Please rebase.

@admiralAwkbar
Copy link
Collaborator

@GaboFDC this looks good to me! I found a few issues and cleaned them up

@GaboFDC
Copy link
Collaborator Author

GaboFDC commented Jul 6, 2020

Hye @admiralAwkbar thanks for the help. Seems like the rebase was not clean enough, I see duplicate npm install. And the packages install was reverted, I had cleaned it to the minimus as lots of things were not needed anymore.
I'll re-rebase and force push if that's ok with you?

Also, I'll test about https://github.com/github/super-linter/pull/372#discussion_r449727037 to be sure dependabot works as expected.

@admiralAwkbar
Copy link
Collaborator

@GaboFDC yeah that rebase went badly, my bad. Please make any adjustments and push to the branch so we can get it all validated and up to date

@admiralAwkbar admiralAwkbar self-assigned this Jul 6, 2020
@admiralAwkbar admiralAwkbar added automation related to helping the project operate more efficiently dependencies Pull requests that update a dependency file enhancement New feature or request labels Jul 6, 2020
@GaboFDC GaboFDC marked this pull request as ready for review July 6, 2020 19:51
@GaboFDC GaboFDC mentioned this pull request Jul 6, 2020
@nemchik nemchik mentioned this pull request Jul 7, 2020
2 tasks
@nemchik
Copy link
Collaborator

nemchik commented Jul 7, 2020

GitHub Actions seemed broken earlier today. If you run the following it should re-push your latest commit and trigger new checks:

git commit --amend --no-edit
git push -f

@admiralAwkbar
Copy link
Collaborator

@GaboFDC Amazing work out there... it needed some cleanup :)

@admiralAwkbar
Copy link
Collaborator

@GaboFDC did you have any more work on this branch or do you feel like you got to where you wanted it to be?

@GaboFDC
Copy link
Collaborator Author

GaboFDC commented Jul 8, 2020

@admiralAwkbar I think this is ready

Copy link
Collaborator

@admiralAwkbar admiralAwkbar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing

@admiralAwkbar admiralAwkbar merged commit a575089 into super-linter:master Jul 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automation related to helping the project operate more efficiently dependencies Pull requests that update a dependency file enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Keep dependencies up to date Upgrade Rubocop to Latest
3 participants