I’m a nervous nelly about updating the entire built pipeline without human in the loop eyes on integration tests. That’s the thing about the UserALE.js repo—it’s not just about source and build artifacts. The build artifacts export well out of the box, but the entire repo itself is a build pipeline that supports local customization. The build procs and dependencies are important to curate… my 02c.
We could also pull back dependabot to check on a monthly basis, not weekly. That will reduce clutter in committer inboxes. So, that’s a monthly review and manual merge with Master. How’s that? > On Aug 29, 2022, at 9:24 PM, Austin Bennett <whatwouldausti...@gmail.com> > wrote: > > That is certainly a way to do it that seems better than the current > approach? Hoping to get as automated as feasible. > > Is there a reason you'd want package.json updates to be done manually? > That seems something a GH Action could do [ after tests pass ] -- without > having spent about any time with this thought, it looks like it could parse > updated package-lock to get versions and then replace/update those versions > in package.json, and run tests accordingly. > > > > On Mon, Aug 29, 2022 at 6:15 PM Joshua Poore <poor...@apache.org> wrote: > >> Dependabot updates package-file not package.json. When I clear these >> updates, i like to update package.json and test for collisions. I agree >> dependabot is just alerting us to updates. >> >> Proposal: why don’t we have dependabot merge changes into the test branch. >> then we can update package.json in merges from test to master. >> >> How’s that? >> >>> On Aug 26, 2022, at 11:42 AM, Austin Bennett < >> whatwouldausti...@gmail.com> wrote: >>> >>> Hi Devs, >>> >>> We have Dependabot in the repository which is suggesting maintenance PRs >> to >>> bump versions --> >>> >> https://github.com/apache/incubator-flagon-useralejs/pulls/app%2Fdependabot >>> >>> What are your thoughts around how to treat those PRs? >>> >>> * Turn off? >>> * Just [manually] merge? We do have some tests, and if bumping versions >>> causes more problems that just points to needing to roll-back and/or add >>> new tests? >>> * Configure dependabot to auto-merge if tests pass? >>> * other? >>> >>> Cheers, >>> Austin >> >>
