apm-agent-rum-js icon indicating copy to clipboard operation
apm-agent-rum-js copied to clipboard
verified publisher icon elastic

Provide a bot to keep our dev dependencies updated

Open hmdhk opened this issue 5 years ago • 6 comments

Similar to the greenkeeper service or the dependent bot. One requirement is to recognise local dependencies, example pr:https://github.com/elastic/apm-agent-rum-js/pull/643

@elastic/observablt-robots , do you have any solution for this?

hmdhk avatar Feb 26 '20 14:02 hmdhk

To avoid any issues with the CLA, we will build a wrapper to create PRs on behalf of the service account we use in the CI.

An example of the PRs creation can be found here:

  • https://github.com/v1v/apm-agent-rum-js/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies

This is based on an draft jenkins pipeline library I just coded that uses:

  • https://github.com/dependabot/dependabot-script

image.png

In a nutshell, we will build a process in place that will help to the teams to control:

  • When to run the dev dependencies update: (daily, weekly, monthly)
  • Who to assign those issues.
  • What package manager to apply. (npm_yarn, maven, go, gradle)

For such we will create a properties file under the .ci folder then the automation. will read them and apply the execution.

v1v avatar Apr 23 '20 13:04 v1v

What do you think?

v1v avatar Apr 23 '20 13:04 v1v

Regarding the approach to use dependabot, @watson just added quite valuable information for some other use cases:

  • https://github.com/elastic/apm-agent-nodejs/pull/1727#issuecomment-618569553

Glad to say even if we use the dependabot adhoc thing, we could add more features to fullfil some of those requirements.

I'll gather all those details in another issue to discuss deeply with all the apm teams and agree what's the best approach.

v1v avatar Apr 23 '20 20:04 v1v

IMO, Using dependabot is a good idea and would already cut our work when updating dependencies. However as i expressed already in a thread, Dependabot doesn't seem to be working correctly on the Lerna mono-repos and we might need to tweak it a little bit to behave correctly. Other than that, I agree with your points mentioned here https://github.com/elastic/apm-agent-rum-js/issues/656#issuecomment-618408210

vigneshshanmugam avatar Apr 27 '20 08:04 vigneshshanmugam

@v1v One question I think is worth asking might be if we can get a high-level view of dependencies across all the observability repos. Perhap Do you think that has value?

cachedout avatar Apr 27 '20 09:04 cachedout

@v1v One question I think is worth asking might be if we can get a high-level view of dependencies across all the observability repos. Perhap Do you think that has value?

Having dependabot centralised, we can push the dependency update information to the build stats cluster with no harm, where we can aggregate anything we need once we have data. We can even picture a static analyser for project descriptors (go.mod, package.json, depedencies.txt, pom.xml...) doing the same thing: pushing deps info to the stats.

mdelapenya avatar May 28 '20 06:05 mdelapenya