argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Security updates should automatically apply to `release-3.4` and `release-3.5`

Open isubasinghe opened this issue 9 months ago • 4 comments

Summary

As the title states, security updates should immediately be available in release channels.

Use Cases

It is difficult to individually perform releases and currently is a manual process, which also is to say that it is error prone, humans may accidentally miss out on critical security fixes when rolling a new release. While the end goal would be some kind of full automation to the release process, we could setup the security updates from dependabot to be automated.

isubasinghe avatar May 07 '24 09:05 isubasinghe

Sounds like a subissue of #12592.

Afaik, dependabot doesn't run on other branches, so this would be largely the same as what we discussed in #12592, automatically cherry-picking into currently supported branches.

which also is to say that it is error prone

Due to that, there can still be a merge conflict on cherry-picking / backporting, especially with deps, so this may never be fully automated either.

we could setup the security updates from dependabot to be automated.

Since dependabot is only doing security updates now after #12487, we could detect these.

Otherwise, we do have to manually do some updates (as they're major bumps or require code changes etc), and there isn't necessarily a good way to detect those other than the labels (which have to be manually added)

agilgur5 avatar May 08 '24 16:05 agilgur5

I didn't know that dependabot doesn't run on other branches, that is a shame to hear.

I do have a dirty ugly hack for this, I can create two forks of workflows and each set the default branch to be release-3.4 and release-3.5. This way there should be automatic updates to those forks. From there I can push those changes here. It won't be completely automatic, but it will resolve the manual conflict resolution.

I feel like I deserve some abuse for this proposal hahaha, it is such a hack but should keep us going.

isubasinghe avatar May 09 '24 12:05 isubasinghe

One can ask dependendabot to run on branches.... but it only does security PRs on the main one. Hence many people ...... create a separate git repository for stable branch to be set as default just to get those PRs....... i know.

xnox avatar Aug 10 '24 03:08 xnox

but it only does security PRs on the main one

ofc classic dependabot limitations... 🙃 security PRs require dependabot security alerts, which afaik aren't even configurable? Let alone run on branches 😕

agilgur5 avatar Aug 10 '24 05:08 agilgur5