Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document options for keeping dependencies up to date #109

Merged
merged 3 commits into from
Dec 6, 2022
Merged

Document options for keeping dependencies up to date #109

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2661867
Document options for keeping dependencies up to date
dbwiddis Nov 25, 2022
19e5fa0
Add links to example Issues and PRs
dbwiddis Nov 29, 2022
1886594
Renovate is available with Mend for Github
dbwiddis Dec 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions RESPONSIBILITIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
- [Triage Open Issues](#triage-open-issues)
- [Be Responsive](#be-responsive)
- [Maintain Overall Health of the Repo](#maintain-overall-health-of-the-repo)
- [Keep Dependencies up to Date](#keep-dependencies-up-to-date)
- [Manage Roadmap](#manage-roadmap)
- [Add Continuous Integration Checks](#add-continuous-integration-checks)
- [Developer Certificate of Origin Workflow](#developer-certificate-of-origin-workflow)
Expand All @@ -22,7 +23,7 @@
- [Moving On](#moving-on)
- [Inactivity](#inactivity)
- [Negative Impact on the Project](#negative-impact-on-the-project)

## Overview

This document explains who maintainers are, what they do in various repos of opensearch-project, and how they should be doing it. If you're interested in contributing, see [CONTRIBUTING](CONTRIBUTING.md).
Expand Down Expand Up @@ -51,19 +52,25 @@ Review pull requests regularly, comment, suggest, reject, merge and close. Accep

### Triage Open Issues

Manage labels, review issues regularly, and triage by labelling them.
Manage labels, review issues regularly, and triage by labelling them.

All repositories in this organization have a standard set of labels, including `bug`, `documentation`, `duplicate`, `enhancement`, `good first issue`, `help wanted`, `blocker`, `invalid`, `question`, `wontfix`, and `untriaged`, along with release labels, such as `v1.0.0`, `v1.1.0`, `v2.0.0`, `patch`, and `backport`.

Use labels to target an issue or a PR for a given release, add `help wanted` to good issues for new community members, and `blocker` for issues that scare you or need immediate attention. Request for more information from a submitter if an issue is not clear. Create new labels as needed by the project.

### Be Responsive

Respond to enhancement requests, and forum posts. Allocate time to reviewing and commenting on issues and conversations as they come in.
Respond to enhancement requests, and forum posts. Allocate time to reviewing and commenting on issues and conversations as they come in.

### Maintain Overall Health of the Repo

Keep the `main` branch at production quality at all times. Backport features as needed. Cut release branches and tags to enable future patches.
Keep the `main` branch at production quality at all times. Backport features as needed. Cut release branches and tags to enable future patches.

#### Keep Dependencies up to Date

Maintaining up-to-date dependencies on third party projects reduces the risk of security vulnerabilities. The Open Source Security Foundation (OpenSSF) [recommends](https://github.com/ossf/scorecard/blob/c26bea648d0ef252de841ba59a55e8d67fe30271/docs/checks.md#dependency-update-tool) either [dependabot](https://docs.github.com/en/code-security/dependabot) or [renovatebot](https://docs.renovatebot.com/).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This recommendation for OpenSSF is old, why not link to their main branch?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I just followed the link from the press release but certainly linking to a permalink off the current main would be better.

Although that introduces a bit more complexity to this whole paragraph as it includes Sonatype Lift as another option. But I believe that only scans for dependencies with vulnerabilities, not overall dependency updates. So should it be included?

Copy link
Member

@peternied peternied Nov 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds like you are proposing duplicate the OpenSSF content, I would rather link out, but provide the guidance based on their fielding e.g.

We recommend you use renovate, and there are a number of other tools available such as {dependabot, ...?} that might work better depending on a repositories needs, see this publication from Open SSF that includes many other technologies {link}

How does that sound?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't want to be the one saying "we recommend..." yet. I do think I can link to the current OpenSSF scorecard and reference #93, though, since using one of these options contributes to that.

- Dependabot is integrated with GitHub and can be enabled simply by adding a [`dependabot.yml`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates) file to the repo. This will create individual pull requests for each dependency update that can be tracked via tags.
dbwiddis marked this conversation as resolved.
Show resolved Hide resolved
- Renovatebot requires installation of the [`forking-renovate`](https://github.com/apps/forking-renovate) app which will generate a pull request to set itself up. The dependency update pull requests have more information on version age, adoption rate, and percent of successful tests of those who have upgraded. In addition, a centralized dashboard issue provides visibility into all available version updates even if the PR has not yet been generated.
dbwiddis marked this conversation as resolved.
Show resolved Hide resolved

### Manage Roadmap

Expand Down Expand Up @@ -116,7 +123,7 @@ Individuals accept the nomination by replying, or commenting, for example _"Than
Upon receiving three positive (+1) maintainer votes, and no vetoes (-1), from other maintainers, and after having privately confirmed interest with the nominee, the maintainer opens a pull request adding the proposed co-maintainer to MAINTAINERS.md. The pull request is approved and merged.

> _Content from the above nomination._
>
>
> The maintainers have voted and agreed to this nomination.

The repo admin adjusts the new maintainer’s permissions accordingly, and merges the pull request.
Expand Down