-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot-like GitHub action for Scarb #1083
Comments
I will love to attempt this. |
The task is yours 💞 |
Awesome! I will share an MVP before noon Friday CST |
Nice 🤩 Though, don't enforce any deadlines on you mate! No need to rush it. |
Alright. Quick update: Here is the repo, I am building the custom action in I will make additional push with my progress soon, and I am also willing to transfer it to software-mansion organization once it works fine. That is if y'all are open to that. |
Awesome! Can't wait to see the progress :D You can leave this repository under your name and maintenance. I think moving it to our org would make it more complicated for you to work on. |
Hi @okhaimie-dev ! |
Moving this issue back to backlog due to no activity. It's open for contributions again! :) |
Is this issue still open ? If so I'd love to have a crack at it. |
Hi @cwastche! |
Hi @maciektr ! This is the current repo for a MVP GHA that will bump cairo dependencies by running the 'scarb update' and creating a PR with the new changes: https://github.com/cwastche/Dependascarbabot Regarding version resolution, is the plan still to use PubGrub, and has any work already been done in that regard ? |
Hi @cwastche ! I've tested your actions and for me it's a great first iteration! ❤️ ❤️ ❤️ Superb effort! Two minor suggestions:
One concern: Nevertheless, the usage guide in your README would benefit from a short note on the risks associated to token use and a short instruction on token management (to store PAT in github secrets, as I expect some users will get lost here otherwise). Otherwise, I don't think I have more suggestions. |
Problem
We would love to have a Dependabot-like experience for having some entity automagically bumping dependencies in Cairo repositories. Unfortunately, Dependabot does not have a facility to provide implementations of custom package managers by the community, so we have to make workarounds.
Proposed Solution
High-level idea
The idea is to make use of GitHub actions and their scheduled workflow triggers functionality.
For the purpose of this issue, let's call it
dependascarbabot
(sounds cool, isn't it?). But I'm not enforcing this name 🤡The template GHA workflow that users would paste into their repositories could look like this:
The less boilerplate, the better
I think the less boilerplate users would have to maintain, the better. So, if possible, this action should call all of
actions/checkout
,software-mansion/setup-scarb
,git commit
andgit push
under the hood if possible.How should updating be done?
There is
scarb update
command. It drops theScarb.lock
file and regenerates it, forcing Scarb to pull the latest dependencies matching requirements specified inScarb.toml
. I think that's a good starting point, even MVP-worthy.This command is not as smart as Dependabot proper because Dependabot would also try to modify the
Scarb.toml
file, aiming to bump the requirements if possible. Then, it would let maintainers decide whether to accept the PR or not, but running CI over this change. That's something worth implementing, though! I think there's a space for something like this in Scarb, either as a feature ofscarb update
, or a separate command (likeyarn upgrade-interactive
), which should then be used by this new action.Preparing a summary of what dependencies have been updated
I have no idea what would be the best way to extract from
scarb update
doings what dependencies have been updated. I'm leaving this topic entirely to the person who implements this.Notes
Useful resource:
The text was updated successfully, but these errors were encountered: