Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable dependabot and add process for updating all deps after each release #1659

Closed
bwplotka opened this issue Oct 17, 2019 · 8 comments
Closed

Disable dependabot and add process for updating all deps after each release #1659

bwplotka opened this issue Oct 17, 2019 · 8 comments
Labels
stale

Comments

@bwplotka
Copy link
Member

bwplotka commented Oct 17, 2019
edited
Loading

We are kind of behind dependencies and being spammed by
It would be nice to configure dependabot to do all in one PR. I can't see such an option so I have created a support ticket.

Should it be a release shepherd responsibility?

AC:

  • After every release, we upgrade all our dependencies.

cc @brancz @domgreen @GiedriusS @metalmatze @adrien-f @FUSAKLA opinions?
@brancz
Copy link
Member

brancz commented Oct 17, 2019

I do what is it that is keeping us from merging these PRs? It seems like continuously doing this is a better idea then at once. Do we not have the confidence? Is it too much?

Generally speaking this still seems like a good idea in theory, I want to understand what's making it not useful in practice (and/or if we could make it useful 🙂 ).

@bwplotka
Copy link
Member Author

bwplotka commented Oct 17, 2019
edited
Loading

Sure, so problems with current approach:

  • Each merge of such dep PR creates conflict in go.mod (in most cases). Bot is re submitting another dep PRs in this case, but we have to wait for CI etc. At least 20m wait time for each PR. For ~50 deps it takes in worst case it takes 16h (: Not fun.
  • We can have bit of "dependency hell" with indirect deps. This means that one PR can update one dep, but in another we have to downgrade. It might be not very efficient to takle on each dep basis

@brancz
Copy link
Member

brancz commented Oct 18, 2019

It's probably worth giving the dependabot folks this feedback. I'd say let's make it release shepherd responsibility, that seems like a reasonable thing (of course one off bumps are not discouraged).

@bwplotka
Copy link
Member Author

Ticket sent, no response

@metalmatze
Copy link
Contributor

5 days later, did you get a response in the meantime?

@bwplotka
Copy link
Member Author

bwplotka commented Oct 28, 2019 via email

@bwplotka bwplotka changed the title Disable dependabot and add dos to remember about updating deps after each release Disable dependabot and add process for updating all deps after each release Oct 29, 2019
@bwplotka
Copy link
Member Author

Actually forget about a support ticket, look at this: https://github.com/dependabot/feedback/issues/5 👀

Will describe our use case and will check if we can help in any way.

@bwplotka bwplotka mentioned this issue Nov 15, 2019
Merged
@stale
Copy link

stale bot commented Jan 11, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jan 11, 2020
@stale stale bot closed this as completed Jan 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@metalmatze @brancz @bwplotka