kube icon indicating copy to clipboard operation
kube copied to clipboard

Published 20 hours ago verified publisher icon kube-rs

Add a lockfile

Open clux opened this issue 2 years ago • 6 comments

From a blank build today. I personally think this makes sense.

Reasons;

  • basically https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html
  • frequently we get cargo deny issues pulled in from under us which we have to explain away
  • contributor confusion; why does this not build? we don't want them to be the first to notice a breaking build, that's CIs job
  • we can setup dependabot to auto-merge non-breaking changes that pass CI

Downsides:

  • we still have to manually fix up most cargo deny issues
  • we will get a lot more dependency prs, but if most are auto-merged then it should be ok? they don't show up in the github releases because of our changelog configuration

AFAIU non-breaking builds do not need to get pins updated from Cargo.toml so this should mostly be a sanity thing for CI and contributors (rather than forcing everyone to bump the dependencies of us).

Have setup automatic dependency merging in all other kube repos, but those are binaries so it's less scary / controversial. My experience with these have been very positive however, so feel we should probably do this here also.

clux avatar Nov 08 '23 12:11 clux

Codecov Report

Merging #1337 (01dec7f) into main (5813ad0) will not change coverage. The diff coverage is n/a.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main   #1337   +/-   ##
=====================================
  Coverage   72.1%   72.1%           
=====================================
  Files         75      75           
  Lines       6377    6377           
=====================================
  Hits        4597    4597           
  Misses      1780    1780

codecov[bot] avatar Nov 08 '23 12:11 codecov[bot]

Re: dependabot, I feel like there should be just a weekly lockfile maintenance which bumps the lockfile to the max dependency versions and not for each dependency individually

Dav1dde avatar Nov 08 '23 13:11 Dav1dde

We can do that I believe; weekly interval on dependabot with a grouping on "*"

clux avatar Nov 08 '23 14:11 clux

Very :+1: on this from me.

nightkr avatar Dec 01 '23 10:12 nightkr

I think this is nice personally also, but we could also get a decent approximation of safety with a daily build.

so a couple of things that would be good to get feelings on;

  • lockfile safety vs. cron'd check of latest (cargo update + build)
  • bump frequency / dependabot grouping setup / automerging (if using lockfile)
  • MSRV implications (if we tail latest with a lockfile, then maybe we change msrv test to use -Zminimal-versions builds? - maybe we should do that anyway)

Feel free to leave comments here, but have also added it as an agenda item for tomorrow's meeting :-)

clux avatar Dec 04 '23 04:12 clux

Why not both?

nightkr avatar Dec 04 '23 05:12 nightkr