Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot #113

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

lucacome
Copy link

Adds dependabot to keep all the dependencies up to date.

Signed-off-by: Luca Comellini <[email protected]>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 26, 2024
@k8s-ci-robot k8s-ci-robot requested a review from liggitt July 26, 2024 20:02
@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jul 26, 2024
@k8s-ci-robot k8s-ci-robot requested a review from thockin July 26, 2024 20:02
@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lucacome
Once this PR has been reviewed and has the lgtm label, please assign jpbetz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link

Welcome @lucacome!

It looks like this is your first PR to kubernetes-sigs/yaml 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/yaml has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 26, 2024
@skitt
Copy link
Member

skitt commented Oct 9, 2024

Hi @lucacome, thanks for your contribution. We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy; @liggitt do you know if we have anything written down?

@lucacome
Copy link
Author

lucacome commented Oct 9, 2024

We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy

Why is that? It doesn't seem very safe to have outdated dependencies. I've also added dependabot to a few kubernetes repos already...

@skitt
Copy link
Member

skitt commented Oct 10, 2024

We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy

Why is that? It doesn't seem very safe to have outdated dependencies. I've also added dependabot to a few kubernetes repos already...

Not having automated dependency bump PRs isn’t the same as having outdated dependencies.

Others in k8s-code-organization have more experience of this than me, but I see several concerns with automated bump PRs (in Kubernetes):

  • in many cases, bumps need to be coordinated across repositories for best effect
  • different repositories have different base assumptions (for example the Go language level across branches — k/k has one per branch, k8s.io/utils has only one branch but needs to support older k/k branches), which sometimes conflict with the first point
  • many, many projects depend on k/k, directly or indirectly, so bumps can have a large impact
  • many bumps are of no practical consequence and should be skipped, that’s harder to do in practice with automated bumps (bumps to new releases where the only changes are upstream project CI, code comments etc.)
  • dependabot doesn’t know about k/k’s release cycle

I also think library-type projects have different requirements in terms of dependencies compared to directly-consumable projects. It makes sense to me for library-type projects to be conservative in their dependencies, to avoid forcing their users to upgrade other parts of the dependency tree quicker than strictly necessary; whereas end-user-facing projects (projects that build binaries or container images for direct consumption) might want to stay closer to the latest available releases of their dependencies. Keeping older library dependencies might seem dangerous, but there have been several cases in k/k where a dependency introduced bugs which didn’t affect “smaller” repositories in the Kubernetes project but affected k/k — so bumping them in the library project meant that k/k itself couldn’t bump the library dependency, even though the dependency bump in the library was artificial (not mandated by the library requiring new features in the dependency).

In this particular project, there are only two dependencies, both only used for test code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants