flatpak-external-data-checker icon indicating copy to clipboard operation
flatpak-external-data-checker copied to clipboard

Published 20 hours ago verified publisher icon flathub-infra

[RFC] Use of dependabot as a core

Open HarryMichal opened this issue 3 years ago • 3 comments

Some time ago I learned about the existence of a tool called dependabot. Some time ago it has been acquired by GitHub and it is open source. The tool integrated in GitHub is built on top of a core library. Relying on this library instead of implementing different backends (e.g., GitLab) could prove beneficial.

HarryMichal avatar Oct 15 '21 17:10 HarryMichal

We're aware of dependabot and renovate existence, yet the integration path is unclear. The major difference between flatpak-builder manifests and and the files that are usually updated by those tools (requirements.txt / package.json / etc) is that f-b manifests do not normally store any information about products and versions it contains. E.g. for archive source only thing it cares about is the url and checksum. Thus, there is no way to check for a new version without some additional metadata.

gasinvein avatar Oct 16 '21 10:10 gasinvein

Fair enough. Then it could be used at least for implementing the PR publishing routines? Simply for the sake of not having to maintain these codes.

HarryMichal avatar Oct 16 '21 13:10 HarryMichal

Yes, delegating handling PRs to some other tool makes sense, but I have no idea where to start.

gasinvein avatar Oct 16 '21 13:10 gasinvein