You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/04/07 06:42:23 UTC

[GitHub] [druid] xvrl opened a new pull request #11079: enable dependabot for dependency updates

xvrl opened a new pull request #11079:
URL: https://github.com/apache/druid/pull/11079


   As discussed in the dev@ mailing list I am proposing we start using GitHub's dependabot to manage updates.
   If we agree, then checking in this file should automatically enable dependabot for us.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson edited a comment on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

jihoonson edited a comment on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-830544508


   Hmm I'm a bit worried about this change. There are many integration tests that don't run on Travis because they require extra setups such as s3 credentials and a bucket. Should we resolve this issue first?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] xvrl commented on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

xvrl commented on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-846455108


   > There are many integration tests that don't run on Travis because they require extra setups such as s3 credentials and a bucket. Should we resolve this issue first?
   
   @jihoonson if we don't have a good way of catching these things today as part of our CI builds, I'm not sure there is a difference between automation or humans submitting PRs. We still need to approve these changes before they get merged, so I would hope that we don't approve upgrades if we are aware that it might affect some of those tests.
   
   We can of course exclude any dependencies that we know lack good integration test coverage to be safe.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson edited a comment on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

jihoonson edited a comment on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-856232406


   > @jihoonson if we don't have a good way of catching these things today as part of our CI builds, I'm not sure there is a difference between automation or humans submitting PRs. We still need to approve these changes before they get merged, so I would hope that we don't approve upgrades if we are aware that it might affect some of those tests.
   > 
   > We can of course exclude any dependencies that we know lack good integration test coverage to be safe.
   
   The difference will be that the PR author will be responsible for testing in human-oriented way (that is, the testing burden is more distributed), while it will be reviewers in the automatic way until we will have some automatic testing. This will increase the burden of the reviewers, especially given that we don't have many active reviewers today. But I agree that having more tests running on Travis doesn't solve the root cause.
   
   I'm wondering if we can have an allow list for dependencies that we are confident to upgrade automatically instead of using a deny list. Assuming the allow list will contain only the dependencies we know their testing scope, I would be more confident to merge the PRs that this bot will create without actually testing them by myself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] asdf2014 commented on a change in pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

asdf2014 commented on a change in pull request #11079:
URL: https://github.com/apache/druid/pull/11079#discussion_r624370070



##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"

Review comment:
       Cool :+1:




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] xvrl commented on a change in pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

xvrl commented on a change in pull request #11079:
URL: https://github.com/apache/druid/pull/11079#discussion_r624308763



##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:

Review comment:
       the default is already limited to 5 PRs, so I think we are good (see https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#open-pull-requests-limit)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson commented on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

jihoonson commented on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-856232406


   > @jihoonson if we don't have a good way of catching these things today as part of our CI builds, I'm not sure there is a difference between automation or humans submitting PRs. We still need to approve these changes before they get merged, so I would hope that we don't approve upgrades if we are aware that it might affect some of those tests.
   > 
   > We can of course exclude any dependencies that we know lack good integration test coverage to be safe.
   
   The difference will be that the PR author will be responsible for testing in human-oriented way (that is, the testing burden is more distributed), while it will be reviewers in the automatic way until we will have some automatic testing. This will increase the burden of the reviewers, especially given that we don't have many active reviewers today. But I agree that having more tests running on Travis solves the root cause.
   
   I'm wondering if we can have an allow list for dependencies that we are confident to upgrade automatically instead of using a deny list. Assuming the allow list will contain only the dependencies we know their testing scope, I would be more confident to merge the PRs that this bot will create without actually testing them by myself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] xvrl commented on a change in pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

xvrl commented on a change in pull request #11079:
URL: https://github.com/apache/druid/pull/11079#discussion_r624308367



##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"

Review comment:
       I don't think we need to change this, since the default is already fixed at `5:00 UTC` according to https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#scheduletime




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] xvrl commented on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

xvrl commented on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-830462552


   > As far as I know, the Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, we must merge this PR and migrate to GitHub-native Dependabot before then
   
   @asdf2014 my PR is already for the native github integration, since it is part of the `.github` directory, as decribed here https://docs.github.com/en/code-security/supply-chain-security/enabling-and-disabling-version-updates#about-version-updates-for-dependencies


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] asdf2014 commented on a change in pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

asdf2014 commented on a change in pull request #11079:
URL: https://github.com/apache/druid/pull/11079#discussion_r624369990



##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:

Review comment:
       Good to know, thanks :+1:




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson edited a comment on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

jihoonson edited a comment on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-856232406


   > @jihoonson if we don't have a good way of catching these things today as part of our CI builds, I'm not sure there is a difference between automation or humans submitting PRs. We still need to approve these changes before they get merged, so I would hope that we don't approve upgrades if we are aware that it might affect some of those tests.
   > 
   > We can of course exclude any dependencies that we know lack good integration test coverage to be safe.
   
   The difference will be that the PR author will be responsible for testing in human-oriented way (that is, the testing burden is more distributed), while it will be reviewers in the automatic way until we will have some automatic testing. This will increase the burden of the reviewers, especially given that we don't have many active reviewers today. But I agree that having more tests running on Travis doesn't solve the root cause unless it covers 100% of the code.
   
   I'm wondering if we can have an allow list for dependencies that we are confident to upgrade automatically instead of using a deny list. Assuming the allow list will contain only the dependencies we know their testing scope, I would be more confident to merge the PRs that this bot will create without actually testing them by myself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] asdf2014 commented on a change in pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

asdf2014 commented on a change in pull request #11079:
URL: https://github.com/apache/druid/pull/11079#discussion_r622689719



##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"

Review comment:
       It would be better to add the `time: "21:00"` option under `schedule`, and then we can maintain dependency upgrades at a fixed time every day, which is more convenient than random time.

##########
File path: .github/dependabot.yml
##########
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:

Review comment:
       I think we should add the `open-pull-requests-limit: 10` configuration to limit the number of open PRs for easy access and maintenance.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] xvrl merged pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

xvrl merged pull request #11079:
URL: https://github.com/apache/druid/pull/11079


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] suneet-s commented on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

suneet-s commented on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-817982658


   I'm +1 for on this approach. I think our IT coverage is quite good at this point (except maybe for Hadoop).
   
   Could we customize the message in the PR that this bot creates to warn reviewers of any gotcha's like kinesis tests not running as part of CI, missing hadoop tests, etc.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] jihoonson commented on pull request #11079: enable dependabot for dependency updates

Posted by GitBox <gi...@apache.org>.

jihoonson commented on pull request #11079:
URL: https://github.com/apache/druid/pull/11079#issuecomment-830544508


   Hmm I'm a bit worried about this change. There are many integration tests that don't run on Travis because they require extra setups such as s3 credentials and a bucket. Should we resolve this issue first? I also think it would be better to move hadoop out as a separate extension from core before we do this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org