jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard
verified publisher icon jamulussoftware

CI: Check for dependency updates automatically

Open hoffie opened this issue 3 years ago • 0 comments

Short description of changes This PR adds a workflow which automatically checks many of our pinned third-party dependencies which cannot be handled easily by dependabot. It currently covers:

  • [x] aqt, Example PR: https://github.com/hoffie/jamulus/pull/85 (Logs)
  • [x] Qt6, Example PR: https://github.com/hoffie/jamulus/pull/86 (Logs)
  • [x] choco-jack, Example PR: https://github.com/hoffie/jamulus/pull/83 (Logs)
  • [x] choco-jom, Example PR: https://github.com/hoffie/jamulus/pull/81 (Logs)
  • [x] NSIS, Example PR: https://github.com/hoffie/jamulus/pull/82 (Logs)
  • [x] ASIO-SDK, Example PR: https://github.com/hoffie/jamulus/pull/84 (Logs)

(The logs are from runs on my repo which had artificially been made outdated regarding all supported components before)

If an update is found, a PR is submitted automatically. The workflow automatically runs once per week (Saturdays). Upon merge or close of the PR, the branch is deletec automatically. PRs are updated automatically if master changes and there is a risk of conflicts. The workflow has been made re-usable and uses a matrix to check the different targets, so it should be somewhat easy to extend (once one has come up with a proper regexp...).

The workflow does not handle most of the Android pinnings (haven't looked into it so far). It does not handle submodules yet (dependabot supports them, but not based on releases/tags, it seems). It does not handle pinned Github Actions, as those should be compatible with

CHANGELOG: SKIP

Context: Fixes an issue? Related: #2346

Does this change need documentation? What needs to be documented and how?

It mostly needs inline documentation to avoid accidential breakage during future refactorings. This documentation in the form of comments is included in this PR.

Status of this Pull Request

Ready for review.

What is missing until this pull request can be merged?

  • [ ] Reviews
  • [ ] Merge of #2665 to avoid unnecessary duplicate PRs
  • [ ] We need to generate an SSH deploy key
  • [ ] Add the public key to jamulussoftware/jamulus with write access
  • [ ] Add the private key as repository secret to jamulussoftware/jamulus (The deploy key is necessary as the workflow is not allowed to modify .github/workflows/ by itself, even in a PR; it's also necessary to ensure proper Checks/Autobuilds on those bot-submitted PRs)

Checklist

  • [x] I've verified that this Pull Request follows the general code principles
  • [x] I tested my code and it does what I want
  • [x] My code follows the style guide
  • [x] I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
  • [x] I've filled all the content above

hoffie avatar Aug 12 '22 11:08 hoffie