Skip to content
This repository has been archived by the owner on Sep 12, 2023. It is now read-only.

add dependabot config script #107

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

davidspek
Copy link

@davidspek davidspek commented Jan 25, 2021

Inspired by kubeflow/pipelines#4682 I created a script that will create a config file for depandabot so that it knows what directories to scan. It will scan the repository for files named *ockerfile*, package*.json, *requirements.txt and go.*. It is setup for dockerfiles, npm packages, pip dependencies and gomod at the moment. It is trivial to further customize what folders are selected if further customization is needed. It also parses the closest OWNERS file for a given dependency listing file, and assigns the relevant approvers and adds the relevant reviewers to the PRs it creates.

This is a sibling PR to kubeflow/pipelines#5015, kubeflow/kubeflow#5542, kserve/kserve#1309, kubeflow/arena#403, kubeflow/testing#855, kubeflow/fairing#550, kubeflow/kfp-tekton#432, kubeflow/katib#1420, kubeflow/training-operator#1224, kubeflow/kfp-tekton-backend#28, kubeflow/mpi-operator#319, kubeflow/pytorch-operator#315, kubeflow/metadata#255, kubeflow/xgboost-operator#107, kubeflow/fate-operator#26, kubeflow/mxnet-operator#87, kubeflow/website#2459, kubeflow/kfctl#479, kubeflow/examples#843, kubeflow/code-intelligence#198 and GoogleCloudPlatform/kubeflow-distribution#192.

As it stands now, there will be about 9 PRs that will be created with this configuration.

For reference, the PRs that will be created can be found here: https://github.com/DavidSpek/common/pulls

@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: DavidSpek
To complete the pull request process, please assign jeffwan after the PR has been reviewed.
You can assign the PR to them by writing /assign @jeffwan in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@davidspek
Copy link
Author

/assign @Jeffwan

@Jeffwan
Copy link
Member

Jeffwan commented Jan 25, 2021

@davidspek I don't quite understand the purpose here. I think pipeline has many 3rd dependencies. However, other projects like training operators they only use go and python(SDK). Currently, it's not a problem for Prow to infer the reviewer.

What's the benefit to adopt this script?

@davidspek
Copy link
Author

@Jeffwan The script is not so much to assign the reviewers and approvers, but more to configure dependabot so that it functions properly and knows what folders to scan for what dependencies. Along with that, dependabot also gives security alerts for dependencies with security vulnerabilities. By merging this PR, dependabot can open PRs when there are dependencies that need updating. For example, this repo has 9 dependencies that can/need to be updated. https://github.com/DavidSpek/common/pulls

@Jeffwan
Copy link
Member

Jeffwan commented Jan 26, 2021

@davidspek Right. The scripts seems to generate assignees list from owners files and then create dependabot yaml. I am wondering this is a required from dependabot. because dependabot doesn't need to know who to assign. This can be done by Prow once PR is out.

@davidspek
Copy link
Author

@Jeffwan Is it a problem that dependabot assigns the approvers and reviewers? The functionality can easily be removed, but it does cause the script to be different that in the other repositories. At the moment, the same script is used in every repository.

@davidspek
Copy link
Author

I am holding the PR to have some control over when it gets merged so that the optional test infra doesn't get overloaded if all the repo's were to merge this at the same time.
/hold

@Jeffwan
Copy link
Member

Jeffwan commented Jan 27, 2021

@Jeffwan Is it a problem that dependabot assigns the approvers and reviewers? The functionality can easily be removed, but it does cause the script to be different that in the other repositories. At the moment, the same script is used in every repository.

@davidspek I feel like this is redundant. but I agree if community adopt this solution, we should try to make them consistent.

Can you do a rebase? master has the license header change and travis CI will succeed then

@davidspek
Copy link
Author

@Jeffwan I just did a rebase. I am about to discuss dependabot and the way forward in the Community Call in 45 minutes, as for different repo's the volume of PRs seems to be an issue. However, given the few PRs that are created in this repo, I'd say it is alright to merge as it can also easily be removed or changed if there ends up being a different solution (such as self hosting dependabot) in the future. Then at least this repo can already start having the dependencies updated which will reduce the load in the future.

georgkaleido pushed a commit to georgkaleido/common that referenced this pull request Jun 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants