Automating Syncope's dependency updates

[Misagh Moayyed <mi...@tirasa.net>]

Hey Team,

I suspect most know about this sort of thing, but I thought to share this with you:
https://github.com/renovatebot/renovate

I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file. 

It can run in two ways:

1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.

2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool. 

I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.

This is an example of a pull request by the bot:
https://github.com/Jasig/uPortal/pull/1849

This is an example of the bot's JSON configuration file:
https://github.com/Jasig/uPortal/blob/master/renovate.json

How do you feel about this? Is this a good option to pursue and follow up?

The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)

--Misagh

[1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)

Re: Automating Syncope's dependency updates

[Fabio Martelli <fa...@gmail.com>]

Il 11/12/19 15:00, Misagh Moayyed ha scritto:
> Hey Team,
>
> I suspect most know about this sort of thing, but I thought to share this with you:
> https://github.com/renovatebot/renovate

Wow, it is really widely used.

Sounds really interesting to have it on Syncope.

+1 for me

>
> I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file.
>
> It can run in two ways:
>
> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.
>
> 2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool.
>
> I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.
>
> This is an example of a pull request by the bot:
> https://github.com/Jasig/uPortal/pull/1849
>
> This is an example of the bot's JSON configuration file:
> https://github.com/Jasig/uPortal/blob/master/renovate.json
>
> How do you feel about this? Is this a good option to pursue and follow up?
>
> The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)
>
> --Misagh
>
> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)
>
>

-- 
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email&pk_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

Re: Automating Syncope's dependency updates

[Matteo Alessandroni <sk...@apache.org>]

Hi Misagh,

I find your proposal very interesting, so for me +1.

Just want to underline that /Renovate/ has recently joined /WhiteSource/ 
and this is a plus IMHO because /WhiteSource/ is known to deal with the 
open source security world and the takeover let them provide their 
offerings for free (a good news for us too :)).
Moreover, I remember I heard about /Renovate/ in the front-end world 
context, it was mentioned to be very useful for all the projects using 
NPM packages.

Regards,
Matteo

[1] 
https://renovate.whitesourcesoftware.com/blog/renovate-is-now-part-of-whitesource/


On 11/12/19 15:00, Misagh Moayyed wrote:
> Hey Team,
>
> I suspect most know about this sort of thing, but I thought to share this with you:
> https://github.com/renovatebot/renovate
>
> I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file.
>
> It can run in two ways:
>
> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.
>
> 2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool.
>
> I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.
>
> This is an example of a pull request by the bot:
> https://github.com/Jasig/uPortal/pull/1849
>
> This is an example of the bot's JSON configuration file:
> https://github.com/Jasig/uPortal/blob/master/renovate.json
>
> How do you feel about this? Is this a good option to pursue and follow up?
>
> The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)
>
> --Misagh
>
> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)
>
>

Re: Automating Syncope's dependency updates

[Andrea Patricelli <an...@apache.org>]

Hi Misagh,

very interesting tool, +1 for me about setting it up on Syncope.

The only thing that comes to my mind is that that we should setup, 
first, a set of "critical" dependencies to exclude (due to breaking 
changes or integration issues with other dependencies), I'm thinking 
about Spring and/or major releases, Wicket, Wicket-bootstrap, etc.

Best regards,
Andrea

Il 11/12/19 15:00, Misagh Moayyed ha scritto:
> Hey Team,
>
> I suspect most know about this sort of thing, but I thought to share this with you:
> https://github.com/renovatebot/renovate
>
> I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file.
>
> It can run in two ways:
>
> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.
>
> 2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool.
>
> I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.
>
> This is an example of a pull request by the bot:
> https://github.com/Jasig/uPortal/pull/1849
>
> This is an example of the bot's JSON configuration file:
> https://github.com/Jasig/uPortal/blob/master/renovate.json
>
> How do you feel about this? Is this a good option to pursue and follow up?
>
> The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)
>
> --Misagh
>
> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)
>
>
-- 
Dott. Andrea Patricelli
Tel. +39 3204524292

Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member

Re: Automating Syncope's dependency updates

[Francesco Chicchiriccò <il...@apache.org>]

FYI: https://issues.apache.org/jira/browse/INFRA-19586

Regards.

On 17/12/19 05:38, Misagh Moayyed wrote:
> Sure, will do. Thanks everyone. 
>
> --Misagh
>
> ----- Original Message -----
>> From: "Francesco Chicchiriccò" <il...@apache.org>
>> To: "dev" <de...@syncope.apache.org>
>> Sent: Monday, December 16, 2019 12:22:45 PM
>> Subject: Re: Automating Syncope's dependency updates
>> Hi Misagh,
>> it seems we have some consensus here, please go ahead and open an issue on
>>
>> https://issues.apache.org/jira/browse/INFRA
>>
>> about this topic, thanks.
>>
>> Regards.
>>
>> On 11/12/19 15:13, Francesco Chicchiriccò wrote:
>>> Hi Misagh,
>>> renovatebot looks interesting and worth at least to explore the possibility to
>>> add it at project's (rather than committer's level).
>>>
>>> +1 to go ahead and ask Infra team about it.
>>> Regards.
>>>
>>> On 11/12/19 15:00, Misagh Moayyed wrote:
>>>> Hey Team,
>>>>
>>>> I suspect most know about this sort of thing, but I thought to share this with
>>>> you:
>>>> https://github.com/renovatebot/renovate
>>>>
>>>> I think this is a useful tool to allow a Github project such as Syncope to
>>>> automatically receive dependency updates and become self sufficient. It will
>>>> attempt to parse the project's dependencies/pom and will then begin to issue
>>>> pull requests with relevant updates. Its schedule, update policy and
>>>> inclusion/exclusion rules can all be controlled via a .renovate JSON file.
>>>>
>>>> It can run in two ways:
>>>>
>>>> 1- As a GitHub app, which would be installed for the Apache org on Github and
>>>> enabled for select repositories, such as Syncope. This option requires
>>>> coordination/permission from Apache infra, and updates are then automatic.
>>>>
>>>> 2- As a CLI tool, where a committer's personal access token is passed as a
>>>> command-line argument, and the tool can run as part of CI. This option probably
>>>> does not require anything from Apache infra [?], and updates can be cancelled
>>>> as part of the CI job that runs the tool.
>>>>
>>>> I am not sure what the CLA policy would be for bots; the second option probably
>>>> [?] covers this, as PRs are issued on behalf of the committer whose AT is used.
>>>> Either way, it seems like we need clarification from Apache infra.
>>>>
>>>> This is an example of a pull request by the bot:
>>>> https://github.com/Jasig/uPortal/pull/1849
>>>>
>>>> This is an example of the bot's JSON configuration file:
>>>> https://github.com/Jasig/uPortal/blob/master/renovate.json
>>>>
>>>> How do you feel about this? Is this a good option to pursue and follow up?
>>>>
>>>> The bot also has the ability to rebase PRs, and can also take over the merging
>>>> process automatically if CI passes or other rules allow. (At some point in the
>>>> future, I think it will also gain the ability to travel back in time and kill
>>>> Sarah Connor [1], but that has yet to be fully verified.)
>>>>
>>>> --Misagh
>>>>
>>>> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)
>> --
>> Francesco Chicchiriccò
>>
>> Tirasa - Open Source Excellence
>> http://www.tirasa.net/
>>
>> Member at The Apache Software Foundation
>> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
>> http://home.apache.org/~ilgrosso/


-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Automating Syncope's dependency updates

[Misagh Moayyed <mi...@tirasa.net>]

Sure, will do. Thanks everyone. 

--Misagh

----- Original Message -----
> From: "Francesco Chicchiriccò" <il...@apache.org>
> To: "dev" <de...@syncope.apache.org>
> Sent: Monday, December 16, 2019 12:22:45 PM
> Subject: Re: Automating Syncope's dependency updates

> Hi Misagh,
> it seems we have some consensus here, please go ahead and open an issue on
> 
> https://issues.apache.org/jira/browse/INFRA
> 
> about this topic, thanks.
> 
> Regards.
> 
> On 11/12/19 15:13, Francesco Chicchiriccò wrote:
>> Hi Misagh,
>> renovatebot looks interesting and worth at least to explore the possibility to
>> add it at project's (rather than committer's level).
>>
>> +1 to go ahead and ask Infra team about it.
>> Regards.
>>
>> On 11/12/19 15:00, Misagh Moayyed wrote:
>>> Hey Team,
>>>
>>> I suspect most know about this sort of thing, but I thought to share this with
>>> you:
>>> https://github.com/renovatebot/renovate
>>>
>>> I think this is a useful tool to allow a Github project such as Syncope to
>>> automatically receive dependency updates and become self sufficient. It will
>>> attempt to parse the project's dependencies/pom and will then begin to issue
>>> pull requests with relevant updates. Its schedule, update policy and
>>> inclusion/exclusion rules can all be controlled via a .renovate JSON file.
>>>
>>> It can run in two ways:
>>>
>>> 1- As a GitHub app, which would be installed for the Apache org on Github and
>>> enabled for select repositories, such as Syncope. This option requires
>>> coordination/permission from Apache infra, and updates are then automatic.
>>>
>>> 2- As a CLI tool, where a committer's personal access token is passed as a
>>> command-line argument, and the tool can run as part of CI. This option probably
>>> does not require anything from Apache infra [?], and updates can be cancelled
>>> as part of the CI job that runs the tool.
>>>
>>> I am not sure what the CLA policy would be for bots; the second option probably
>>> [?] covers this, as PRs are issued on behalf of the committer whose AT is used.
>>> Either way, it seems like we need clarification from Apache infra.
>>>
>>> This is an example of a pull request by the bot:
>>> https://github.com/Jasig/uPortal/pull/1849
>>>
>>> This is an example of the bot's JSON configuration file:
>>> https://github.com/Jasig/uPortal/blob/master/renovate.json
>>>
>>> How do you feel about this? Is this a good option to pursue and follow up?
>>>
>>> The bot also has the ability to rebase PRs, and can also take over the merging
>>> process automatically if CI passes or other rules allow. (At some point in the
>>> future, I think it will also gain the ability to travel back in time and kill
>>> Sarah Connor [1], but that has yet to be fully verified.)
>>>
>>> --Misagh
>>>
>>> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)
> 
> --
> Francesco Chicchiriccò
> 
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
> 
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/

Re: Automating Syncope's dependency updates

[Francesco Chicchiriccò <il...@apache.org>]

Hi Misagh,
it seems we have some consensus here, please go ahead and open an issue on

https://issues.apache.org/jira/browse/INFRA

about this topic, thanks.

Regards.

On 11/12/19 15:13, Francesco Chicchiriccò wrote:
> Hi Misagh,
> renovatebot looks interesting and worth at least to explore the possibility to add it at project's (rather than committer's level).
>
> +1 to go ahead and ask Infra team about it.
> Regards.
>
> On 11/12/19 15:00, Misagh Moayyed wrote:
>> Hey Team,
>>
>> I suspect most know about this sort of thing, but I thought to share this with you:
>> https://github.com/renovatebot/renovate
>>
>> I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file. 
>>
>> It can run in two ways:
>>
>> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.
>>
>> 2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool. 
>>
>> I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.
>>
>> This is an example of a pull request by the bot:
>> https://github.com/Jasig/uPortal/pull/1849
>>
>> This is an example of the bot's JSON configuration file:
>> https://github.com/Jasig/uPortal/blob/master/renovate.json
>>
>> How do you feel about this? Is this a good option to pursue and follow up?
>>
>> The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)
>>
>> --Misagh
>>
>> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Automating Syncope's dependency updates

[Francesco Chicchiriccò <il...@apache.org>]

Hi Misagh,
renovatebot looks interesting and worth at least to explore the possibility to add it at project's (rather than committer's level).

+1 to go ahead and ask Infra team about it.
Regards.

On 11/12/19 15:00, Misagh Moayyed wrote:
> Hey Team,
>
> I suspect most know about this sort of thing, but I thought to share this with you:
> https://github.com/renovatebot/renovate
>
> I think this is a useful tool to allow a Github project such as Syncope to automatically receive dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule, update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file. 
>
> It can run in two ways:
>
> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled for select repositories, such as Syncope. This option requires coordination/permission from Apache infra, and updates are then automatic.
>
> 2- As a CLI tool, where a committer's personal access token is passed as a command-line argument, and the tool can run as part of CI. This option probably does not require anything from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool. 
>
> I am not sure what the CLA policy would be for bots; the second option probably [?] covers this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems like we need clarification from Apache infra.
>
> This is an example of a pull request by the bot:
> https://github.com/Jasig/uPortal/pull/1849
>
> This is an example of the bot's JSON configuration file:
> https://github.com/Jasig/uPortal/blob/master/renovate.json
>
> How do you feel about this? Is this a good option to pursue and follow up?
>
> The bot also has the ability to rebase PRs, and can also take over the merging process automatically if CI passes or other rules allow. (At some point in the future, I think it will also gain the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully verified.)
>
> --Misagh
>
> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator)

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/