jamulus
jamulus copied to clipboard
Autobuild: Add Github Action for dependency update PRs
Describe the task
We have several external dependencies which are version-locked for reproducibility and security. We should regularly check those for updates. A Github Action scheduled job (cron-style) could do that. It could automatically submit a PR with the suggested update.
- [ ] Github Actions (
uses:
) #2778 - [ ] Pinned dependencies in the build process (aqt, Qt, JACK, jom, NSIS) #2777
- [ ] Android SDK/NDK/Commandlinetools)
- [ ] Check #2345 wrt completeness
- [ ] Submodules (liboboe)
- [ ] Add automated update to pylint (inclusion here closes https://github.com/jamulussoftware/jamulus/issues/3056)
Solutions to look into:
- dependabot
- https://github.com/apps/renovate
Dependabot?
Dependabot?
Yeah, might be worth a look wrt Github Actions usage. I would not expect it to catch the depds from our build scripts though, unless I'm missing something?
Maybe we can set it up to do that
From https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates#supported-repositories
Supported repositories Repository contains dependency manifest file from a package ecosystem that GitHub supports: "Supported package ecosystems"
So it looks like:
- [x] Github Actions could work.
- [x] pip (for aqt) could work (although we would have to create and use a
pipfile.lock
That'd mean that the following would require manual work (at least):
- [ ] choco
- [ ] Qt
The workflow does not handle most of the Android pinnings (haven't looked into it so far).
I think we should list them in this issue.
I just found out that create-dmg is also missing. So macOS and Android probably need some further investigation.
Not sure what is still outstanding here. Tagging for looking at it in the next release.