Enable renovatebot for the project #1375
Conversation
There was a problem hiding this comment.
Here are some comments on the suggested config. The reference guide for how to configure the bot is here https://docs.renovatebot.com
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
janhoy
requested review from
anshumg,
dsmiley,
gerlowskija,
HoustonPutman and
risdenk
We now got a private repo I'll invite a number of you to the https://github.com/solrbot/renovate-github-action repo so you can commit directly. |
* Add assertion with more details on failure
Add an hourly limit of 5, for slower on-boarding of PRs Add stability requirement of 5 days since release of a version before PR creation
Who controls that email address?
Oh god! Of all the bad ideas in the world, why am I seeing several of the worst ones here in this single issue? IMO, this separate GH account (solrbot) is outside the purview of Apache Solr project, and is a 3rd party project. We shouldn't need the private@ or PMC level involvement for this project. If you disagree, let us discuss in the private@ list about it. |
After conclusion from private@ list discussion, we don't need this bot / github action to be under official control of the Solr PMC. So I'll re-brand this project as being a 3rd party community project, both in this PR and over in the solrbot account. That means I'm reverting back to |
Group httpcomponents in same PR Check test deps montly instead of weekly
…he 3rd party bot github action repo.
…dependencies' label to PRs
|
Turns out the bot account needs "triage" rights on the repo in order to set the "dependencies" label on PRs. ASF.yaml provides a way to grant that. However, since we currently don't use labels at all for our PRs, I'll instead skip the |
|
Thanks for weighing in, now let's see the first PRs flowing in :) |
| "dependencyDashboard": false, | ||
| "enabledManagers": ["gradle"], | ||
| "includePaths": ["versions.*", "build.gradle"], | ||
| "postUpgradeTasks": { |
There was a problem hiding this comment.
This is great, and a step that's missing in the dependabot feature for the solr-operator.
This PR adds automatic dependency housekeeping to the project through Renovatebot, which is an alternative to dependabot. See slack discussion here.
So once this is merged, a self-hosted bot called SolrBot, will kick off every Sunday and file PRs for dependencies that need upgrades. Here is an example of such a PR from my sandbox test project. A nice feature is that the PR will also include changes from
gradlew updateLicensesand--write-locks, so for a majority of upgrades, there's nothing left to do for the committer.We can't use Dependabot since it does not support our gradle "consistent-versions" plugin. We can't use the public Renovatebot github app since it cannot be configured to run custom post-commands like
gradlew updateLicenses. So we follow GitHub's advice of creating a custom github account for the bot, and that user will run renovatebot in a GitHub Action, and fork the solr repo and file PRs against the Solr repo. This has the nice property that the bot won't need commit-rights to the solr-repo, which would be disallowed by ASF policy.I plan to share the github credentials for the SolrBot account with the PMC if I can find a secure way of doing it. I remember there is a private svn repo per PMC, but could not find it.