Dependency update workflow discussion

Question

Dependency update workflow discussion

Opened this issue a year ago · 3 comments

morremeyer commented a year ago

Edit 2023-05-12 8:37 UTC: Added section for automatic releasing

As discussed in #619 (comment), this issue serves to discuss the dependency update workflows for this project.

There's two things that need regular updating:

Project dependencies
bank2ynab

project dependencies

The project currently has both dependabot and renovate configured for dependency updates. I propose the following config going forward:

Enable dependabot alerts and configure Dismiss low impact alerts
Disable dependabot dependency udpates

While there are some transitive dependencies that in the package.lock file that dependabot will update while renovate currently does not update them, renovate will still update the package.lock file with updates for direct dependencies, so it will also upgrade to transitive dependencies as needed.

If there are transitive dependencies with security issues, dependabot's security alerts will catch them so that an update can be done manually.

For the renovate configuration in general, I think getting more things to be able to auto-update would be great. Mainly, building more tests. I can contribute them where I see things pop up. I am a big proponent of automating the pain away on my personal projects with the goal of auto-approving and auto-merging all non-major updates where possible. I can bring as much or as little of that spirit into here as you'd like to have, @leolabs 😁

bank2ynab

To update bank2ynab, we could update the bank2ynab script to point to a specific commit and implement a renovate configuration with the git-ref datasource, that updates that specific commit.

On changes to the script, we can then trigger a workflow that executes it and commits the changes to a PR. Ultimately, with tests that are deemed good enough, renovate could be configured to auto-merge these updates so that keeping bank2ynab up to date will become a zero effort thing.

You can check out a helm chart repository that I co-maintain for an example workflow that does a similar thing for a Kubernetes controller.

automatic releasing

This is something that I quite like, especially in combination with renovate. With proper configuration, in my opinion, automatic releasing makes it an easy process to release new fixes and features to users.

For that, I'd look into:

Make all dependency updates as a chore-scope commit
Automatically release on feat- and fix- scope commits

I suspect that this should be rather easy to automate with lerna already in place.

Answer 1 · 2023-05-12T22:22:44.000Z

Thanks for the elaborate plans, @morremeyer!

I've just set up the Dependabot settings like you described, that all sounded good to me!

The bank2ynab idea sounds great as well! We'd just have to make sure these updates don't break anything, especially when combined with automatic releasing, but with enough tests that should be doable. Would you be up for making a PR for this?

Thanks again!

Answer 2 · 2023-05-14T11:26:09.000Z

Yes, I'll work on it when I get to it.

Answer 3 · 2023-05-16T15:09:25.000Z

Reminder to myself: re-read https://docs.renovatebot.com/noise-reduction for an update on the current state