handlebars.js icon indicating copy to clipboard operation
handlebars.js copied to clipboard

Published 20 hours ago verified publisher icon handlebars-lang

Dependency Management Automation

Open aorinevo opened this issue 5 years ago • 4 comments

Note: this issue is a port of https://github.com/NerdWalletOSS/shepherd/issues/111

Narrative

As a maintainer of Handlebars, I want a quick and easy way to keep dependencies up-to-date and reduce the level-of-effort associated with the corresponding releases.

Proposed Change

The proposed change is to integrate renovate, renovate approve, semantic commits, and semantic-releases.

With the right combination of settings across these four Github apps, CI/CD can take care of updating minor and patch dependencies (relative to the semantic commit message), approving and merging of the corresponding PRs, publishing a new tag version, and finally updating release notes (if needed) and changelog.

Technical Details

  • Use github workflows
  • Add GH_TOKEN secret with properly provisioned token (repo access is sufficient)
  • Need to decide on a set of types that will trigger releases and the corresponding semver bump. For example, we can have:
    • docs, style, refactor, and perf map to patch semver bump
    • feat map to patch semver bump
  • conventional commits should use the following scopes:
    • parser, compiler, runtime, cli
  • Update documentation in CONTRIBUTING.md

ROI

  • near real time vulnerability and security patches
  • reduced overhead for maintainers
  • reduced CI/CD failures for consumers (at least for those that run npm audit as part of their CI)

DependaBot vs RenovateBot

DependaBot RenovateBot
post install config (i.e. run npm dedupe) No Yes
price Free Free

Nice to have

  • WIP app

Notes

  • Dependabot (see https://dependabot.com)
  • Renovate Approve (see https://github.com/apps/renovate-approve)
  • Renovate (see https://github.com/marketplace/renovate)
  • Semantic Release (see https://github.com/semantic-release/github)
  • Semantic Pull Requests (see https://github.com/zeke/semantic-pull-requests)

aorinevo avatar Apr 11 '20 13:04 aorinevo

Just want to add a +1 for renovate here. I’ve used it extensively and it is a fantastic tool.

ErisDS avatar Apr 11 '20 20:04 ErisDS

do we need extra config for renovate in the repo. If yes, we should add it first and install the bot.

nknapp avatar Apr 15 '20 21:04 nknapp

We will need a renovate.json file to house the configurations however it is worth noting that renovate can be enabled with without risk:

Renovate will not make any changes to your repository or raise any further Pull Requests until after you merge this initial Pull Request. So if there is anything about the Pull Request that you don't like or understand, take your time to read documentation or ask questions in one of our support forums and merge the PR only once you're satisfied with the result. You can edit your Renovate configuration within this renovate/configure branch and Renovate will keep updating the description in the PR to match, so you can keep doing that until you're satisfied with the results.

~ from https://docs.renovatebot.com/configure-renovate/

aorinevo avatar Apr 16 '20 12:04 aorinevo

:information_source: There is now a dependabot configuration: https://github.com/handlebars-lang/handlebars.js/blob/master/.github/dependabot.yml

jaylinski avatar Jan 02 '22 02:01 jaylinski