chezmoi icon indicating copy to clipboard operation
chezmoi copied to clipboard

Published 20 hours ago verified publisher icon twpayne

Improve automatic dependency updates

Open twpayne opened this issue 11 months ago • 3 comments

Is your feature request related to a problem? Please describe.

I'm always frustrated when I have to update chezmoi's dependencies as it requires a lot of manual work:

  • I can update most Go modules in go.mod with go get -u -t ./..., but I then need to run make test-release to build chezmoi for all platforms to update go.sum, as long as these are only minor version bumps.
  • Dependabot currently opens per-Go-module PRs which a lot of PR noise.
  • I check for major Go module version bumps with gomajor, but dealing with the output of this sometimes requires additional work.
  • I have a private script for updating GitHub Actions versions.
  • For tool versions, I currently have to manually check each one of them.
  • Very rarely, I check Python requirements (in chezmoi's various requirements*.txt files).

Describe the solution you'd like

I would like an automatic tool to propose dependency high-level dependency update PRs that update related dependencies together, e.g. bumping all minor Go module version dependencies in the same PR.

Describe alternatives you've considered

Keeping this as-is, or writing some tooling myself.

Additional context

  • I'd love help with this.
  • It's not necessary to solve all of the above problems in one go.
  • I think that switching from dependabot to renovatebot might help.
  • If you want to work on this, please say so in a comment on this issue so people don't end up duplicating work.

twpayne avatar Mar 08 '24 23:03 twpayne

I tried and moved back from Renovate; I didn't like it — I should consider giving it another try.

Dependabot grouping is somewhat useful, and there is the ability to use update-types to ensure that minor or patch items are upgraded as one PR.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups

halostatue avatar Mar 09 '24 01:03 halostatue

@twpayne gomajor list takes an optional -json flag.

icholy avatar May 13 '24 19:05 icholy

Thanks! The issue with bumping major versions is that it requires modifying the source files (i.e. at least updating import statements with the new package path, and occasionally modifying code for the new API). However, the -json flag to gomajor list should make it easier to write some basic automation around this, thank you!

twpayne avatar May 13 '24 20:05 twpayne