New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider using Renovate #15726
Comments
just a note: the default commit tag is a liitle different than ours. we may need update |
Very much in favor of using an automatic dependency updater. I do like Renovate, although Dependabot has become my default automatic dependency updater since GitHub acquired and integrated it. Any reason to choose one over the other? |
Renovate is awesome and far more configurable, and dependabot imo is junk, altho it’s slowly getting better over time. You can configure any commit message convention you like. |
I just can’t stand the millions of one-off dependabot update PRs. I’m open to anything that gets us out of that situation. |
Oops! It looks like we lost track of this issue. What do we want to do here? This issue will auto-close in 7 days without an update. |
I’m testing Renovate on my own repos. Will report back with feedback. |
TSC Summary: This issue proposes setting up Renovate on ESLint repos. Renovate prefers to pin all dependencies and send pull requests to update each dependency individually. It can be a bit noisy, but it would ensure that we are regularly updating dependencies, which is something we don't do very well right now. TSC Agenda: Should we enable Renovate on the org? |
Note you can customize the config to group updates if you like, much more granularly than any other alternative I’m aware of. |
We accepted this change in the 2023-02-09 TSC meeting. I'm working on |
Hi, the Renovate team would be happy to help you get onboarded. Here's what I recommend:
You will then get a single "Dependency Dashboard" issue like renovate-reproductions#2. No further PRs will be sent unless a maintainer requests them on-demand from that Issue. In other words, my recommendation above will result in only 1 (merged) PR and one open Issue. Observations:
You don't need to change anything, and Renovate can work happily with this approach, but in future you could consider:
|
Pinning GitHub actions to SHAs and exact versions (e.g. v3.0.1 not v3)Easiest way to pin your GitHub Actions is to add {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboardApproval",
":semanticCommitScopeDisabled",
+ "helpers:pinGitHubActionDigests"
]
} Renovate will then create a PR that pins all the actions. The GitHub Docs says: 2
General "noise reduction" strategiesWhen you start allowing Renovate to create update PRs automatically, you may use noise reduction strategies, for example: 3
Footnotes |
fwiw i don’t think it’s actually a good idea to pin actions to a sha for the same reason it’s not a good idea to pin a dependency on a single version number, but I’ll let the eslint folks make that decision. |
@btmills are you still interested in implementing this? |
@nzakas I will give it a try. |
@aladdin-add thanks! |
@aladdin-add I'd recommend this configuration in your {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboardApproval",
"helpers:pinGitHubActionDigests",
":semanticCommitTypeAll(ci)"
]
}
|
sgtm! 👍
I prefer not to use it - to start with, I prefer to start with a minimal configuration, as currently we don't do that, I think that's something we can consider in the future.
All the eslint repos follow conventional commits, but currently does not use scopes: https://eslint.org/docs/latest/contribute/pull-requests#step-2-make-your-changes. |
GitHub recommends you pin your actions
I'll just say (again) that GitHub really recommends you pin your actions: 1
With that warning out of the way: it's your repository, and your rules. 😉 Drop scopes
Oh, I did not see you're not using scopes... 😄 Here's a better idea: 2
New proposed configChanges:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboardApproval",
":semanticCommitTypeAll(ci)",
":semanticCommitScopeDisabled"
]
} Footnotes |
Pinning your actions is harmful, because it prevents bug and security fixes from flowing into your CI. That GitHub recommends it shouldn’t hold much weight. |
I assume you mean: prevents fixes from flowing into your CI automatically? Here's the sequence of events, when pinning:
Say a users uses the standard version syntax, like Am I right in thinking you value getting your action updates now and automatically higher than any SHA-pinning guarantees?
I think the creators of GitHub Actions probably know best how end-users should use and secure it. If their docs say: pin your actions, I'm happy to assume that's the best thing to do for most users. 😄 |
Yes, preventing the automatic flow of fixes is harmful. Using renovate or similar to keep actions updated mitigates this, but at the cost of tons of PR noise.
This is almost always a flawed assumption; the creators of a thing aren't guaranteed to know how to use it best - also, the creators of github actions aren't likely the ones who wrote those docs - i'd bet that was the security team. |
I think we're missing some context in this discussion: GitHub recommends pinning against an action SHA for third party actions. And I agree, if we end up using actions from untrusted sources, this is probably the way to go. I don't think pinning ALL actions to a SHA makes sense for the reasons @ljharb mentioned. |
A new note: I'd recommend using Renovate's |
@JoshuaKGoldberg do you want to explore setting it up for this repo? |
Can do! I'll put it on my task list for this week. Will edit this comment if I run over. Edit: this week 🙃 |
Just a heads up that I enabled Renovate in the repo. I believe it won't start creating PRs yet. |
I put some more implementation questions in the description of #17567. |
This app helps keep dependencies up to date:
https://github.com/marketplace/renovate
What do we think about including this in the repo?
The text was updated successfully, but these errors were encountered: