spec icon indicating copy to clipboard operation
spec copied to clipboard
verified publisher icon cdevents

PoC dependency updates through events

Open e-backmark-ericsson opened this issue 3 years ago • 2 comments

Disclaimer: This issue should be put in a general cdevents community repo, but as we lack such I put it here instead.

I'd like to see a PoC on dependency updates through events. The idea is that e.g. artifact published event should trigger a new pull request being created in a repository that depends on that "upstream" repo. It could be a lib->component relation or a component->application relation or similar. The new pull request in that "downstream" repo should then have a change created event sent for it, which somehow relates to the artifact being the cause of that update.

Note: The functionality of triggering downstream dependency updates is today handled by for example Dependabot if both repos are in GitHub, but what if not? And sending such events would also make it possible to visualize and measure on such dependency updates in a generic manner

e-backmark-ericsson avatar Jun 08 '22 16:06 e-backmark-ericsson

This PoC could maybe be based on Mend Renovate - https://www.mend.io/free-developer-tools/renovate/ We could also look in to integrating Dependency Track - https://owasp.org/www-project-dependency-track/ also Defect Dojo - https://github.com/DefectDojo/django-DefectDojo

e-backmark-ericsson avatar Oct 10 '22 15:10 e-backmark-ericsson

Looks like some of this relates to comments around promotion and test related events you, @afrittoli, @xbcsmith and I made in #143. Thoughts?

mekhanique avatar Dec 04 '23 21:12 mekhanique