Personally would err towards more frequent rather than less frequent. Isn't that the intent behind CI/CD ... "continuous" rather than batch.
Esp. dependency bumps can coincide with security vulnerability fixes? Wouldn't we want those incorporated ASAP? We would even need to check. I *think* there might be something where we can't allow bots to auto-merge code? But would need to check ASF policy. Human in the loop for a final merge not particularly contentious. But, ideally we continue to find ways to get computers to do the verification [ ex: integration, and even functional tests ] as part of the build/test/deployment pipelines. Also: We are talking about code in Git, which is reversible. Much different and potentially lower stakes than other autonomous systems [ ex: weapons ]. On Mon, Aug 29, 2022, 7:07 PM Joshua Poore <poor...@me.com.invalid> wrote: > I’m a nervous nelly about updating the entire built pipeline without human > in the loop eyes on integration tests. That’s the thing about the > UserALE.js repo—it’s not just about source and build artifacts. The build > artifacts export well out of the box, but the entire repo itself is a build > pipeline that supports local customization. The build procs and > dependencies are important to curate… my 02c. > > We could also pull back dependabot to check on a monthly basis, not > weekly. That will reduce clutter in committer inboxes. > > So, that’s a monthly review and manual merge with Master. How’s that? > > > On Aug 29, 2022, at 9:24 PM, Austin Bennett <whatwouldausti...@gmail.com> > wrote: > > > > That is certainly a way to do it that seems better than the current > > approach? Hoping to get as automated as feasible. > > > > Is there a reason you'd want package.json updates to be done manually? > > That seems something a GH Action could do [ after tests pass ] -- without > > having spent about any time with this thought, it looks like it could > parse > > updated package-lock to get versions and then replace/update those > versions > > in package.json, and run tests accordingly. > > > > > > > > On Mon, Aug 29, 2022 at 6:15 PM Joshua Poore <poor...@apache.org> wrote: > > > >> Dependabot updates package-file not package.json. When I clear these > >> updates, i like to update package.json and test for collisions. I agree > >> dependabot is just alerting us to updates. > >> > >> Proposal: why don’t we have dependabot merge changes into the test > branch. > >> then we can update package.json in merges from test to master. > >> > >> How’s that? > >> > >>> On Aug 26, 2022, at 11:42 AM, Austin Bennett < > >> whatwouldausti...@gmail.com> wrote: > >>> > >>> Hi Devs, > >>> > >>> We have Dependabot in the repository which is suggesting maintenance > PRs > >> to > >>> bump versions --> > >>> > >> > https://github.com/apache/incubator-flagon-useralejs/pulls/app%2Fdependabot > >>> > >>> What are your thoughts around how to treat those PRs? > >>> > >>> * Turn off? > >>> * Just [manually] merge? We do have some tests, and if bumping > versions > >>> causes more problems that just points to needing to roll-back and/or > add > >>> new tests? > >>> * Configure dependabot to auto-merge if tests pass? > >>> * other? > >>> > >>> Cheers, > >>> Austin > >> > >> >
