-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get Renovate bot running on this repository with a basic config #321
Comments
I personally am a huge fan of using this, (Sorry to say, but currently using DependaBot on the The one concern I can really see here, and might end up being the case, is currently we have a lot of outdated dependencies, but even worse we have a lot of failing tests, and it can make it extremely difficult to trust tests when performing an upgrade to a dependency. So I know personally when I see a bot updating on of the deps, I read through the ChangeLog, sometimes even the commit diff of the version, see if there's any API's I'm using or notes that look relevant and the tests. But for us right now, some of the tests can be flaky (but we are working on that), and I don't think any one person would be able to look at a dep version bump and know if it affects any of the API's we use. That isn't to say we shouldn't use it, just either it might be time before we do, or we would have to do the research first, and configure it in such a way to avoid any of our major dependencies at first. |
Dependabot is good as well. The biggest win is using a dependency management bot.
Updating old dependencies with flaky or broken tests is tricky. How about this then:
You then have a special issue which lists all your dependencies and their updates. You can select a checkbox in the special issue to get an update PR from Renovate for that dependency. Renovate calls this "the Dependency Dashboard Approval workflow". 1 Once you've fixed your flaky/broken tests you can start automating dependency updates more:
Dependabot must run at least once a month ( I'm happy to create a basic Renovate configuration with the Dependency Dashboard enabled, and the "Dependency Dashboard Approval Workflow". Footnotes |
This sounds really cool, and appreciate you being open to assist in creating a configuration for it. How about this, since this change will likely affect many of our core contributors and would change the workflow I'll make a poll on our Discord to see what everyone thinks, and if approved, then we can move forward with your plan. Which thanks for laying it out like you have and helping find ways to work around our limitations, your contributions are appreciated! |
Did you manage to run the poll already? I'm curious what you guys voted. 😄 |
Sorry for not returning back to this one. So the poll has been closed I believe with a vote of:
There are some very good points against it. Essentially wanting to result in not to much noise, and concerns over not missing important changes as they happen in dependencies. It is something I've meant to take a look at. But do appreciate you getting the ball rolling here, since I've done this once or twice manually bumping several dependencies and testing, and it isn't a whole lot of fun |
I'm testing Renovate on my fork. You can see the Dependency Dashboard in action here: This is the {
"extends": ["config:base", ":dependencyDashboardApproval"], // Default configuration + only get updates when requested via Dependency Dashboard
"includeForks": true // You do not need this option, but I do, because I'm running Renovate on a fork :)
} As you can see on my fork, Renovate has not created any PRs. That's because I need to select the updates I want from the Dependency Dashboard issue. Let me know what you think! 😉 |
Ironically enough, we probably do need the includeForks key, because a large portion of our repos are forked from Atom still We need to contact GitHub (again?) to remove the upstream from quite a few of them |
Yeah @HonkingGoose this looks fantastic! I love the fact that it's just an issue. Especially love that it's able to find all the dependencies from our core packages as well! Only downside I can even find is that updating a dependency that's in the core and a core package looks like it'd update both by clicking the checkbox? But at the very least it reports it so you could update one manually if you ever needed. But that seems unlikely. So with this, and considering the way our vote carried out, might just be time to implement this in a PR. Appreciate all the effort and following up on this |
To get started with Renovate:
If you get stuck, ask for help in this issue. 😉 |
Are those core and core package files in different file paths? If yes, we can probably do something like this: {
"packageRules": [
{
"description": "Group all dependencies from the core directory",
"matchPaths": ["core/**"],
"groupName": "Core dependencies"
},
{
"description": "Group all dependencies from the core-packages directory",
"matchPaths": ["core-packages/**"],
"groupName": "Core packages dependencies"
},
]
} Here I'm using the I still recommend starting with the simplest config first to see what happens. You can always tune things later. 😄 Footnotes |
Hi @confused-Techie! Congratulations on getting Renovate bot working! 🥳✨ I see Renovate already created some security PRs on this repository. Renovate always creates security PRs, even if you normally only get updates when requested from the Dependency Dashboard. I hope you enjoy Renovate bot. 😄 |
Have you checked for existing feature requests?
Summary
You have a Renovate bot configuration file, which is probably a left-over from the old Atom repository:
pulsar/.github/renovate.json
Lines 1 to 20 in 5420595
I recommend you use Renovate bot to get updates for your dependencies. I help maintain the documentation for Renovate, so obviously I like it best.
I can help you get Renovate bot running on this repository. 😉
What benefits does this feature provide?
Quote from the Renovate docs homepage: 1
One big feature is you can use Renovate's Dependency Dashboard issue 2 to get an overview of all your dependencies and their pending/oopen updates.
Any alternatives?
If you don't want to use Renovate, you can check out Dependabot 3 or Depfu 4.
Other examples:
Here's the Renovate bot in action on the official Renovate repository:
Footnotes
https://docs.renovatebot.com/ ↩
https://docs.renovatebot.com/key-concepts/dashboard/ ↩
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates ↩
https://depfu.com/ ↩
The text was updated successfully, but these errors were encountered: