Looks like there's a consensus to introduce Renovate, so I've updated
the PR https://github.com/apache/polaris/pull/267 as "Ready for Review".
On 05.09.24 16:15, Dmitri Bourlatchkov wrote:
+1 to Renovate.
It works well in Nessie and it is quite convenient in terms of GH
integration.
Cheers,
Dmitri.
On Thu, Sep 5, 2024 at 6:23 AM Alex Dutra <alex.du...@dremio.com.invalid>
wrote:
Hi Robert,
Thanks for this proposal. We definitely need an automatic dependency
management, +1 to move forward with this.
Having worked with both proposed solutions, I also have a preference for
renovate. The automatic PR merge and the dependency dashboard are really
nice features imo.
Thanks,
Alex
On Thu, Sep 5, 2024 at 11:41 AM Jean-Baptiste Onofré <j...@nanthrax.net>
wrote:
Hi Robert,
I was about to propose it because I identified some dependencies
behind yesterday (and created PRs to update).
Big +1 to automate this.
I have a small preference for renovate but OK to use dependabot anyway.
Thanks !
Regards
JB
On Wed, Sep 4, 2024 at 10:01 PM Robert Stupp <sn...@snazy.de> wrote:
Hi all,
I'd like to propose to use automatic dependency management in Apache
Polaris and start a discussion about this topic first.
Keeping dependencies up-to-date is a quite important - it helps to not
(or better: less likely) run into security issues or bugs in
dependencies. Continuously keeping dependencies up-to-date also keeps
the amount of code changes due to updated dependencies down to a
manageable amount of work - most of the time within the
dependency-version-bump PR.
There are two options that I can think of:
## Renovate
Renovate [1] is a highly customizable dependency management tool. We
are
using it in projectnessie [4] for all projects for quite some time and
are very happy with it. It just works and does its job for years now.
Particularly the amount of flexibility and functionality it brings is
really nice.
Renovate can update dependencies for all kinds of what they call
"managers" [2] - e.g. for Java: Gradle, Gradle Wrapper, or for Python:
pip, poetry, or Docker images: Dockerfile, Compose, etc.
Different versioning schemes are supported (not just semver).
The Renovate bot comes along each repository approximately every 3
hours. It has configurable limits for the amount of open PRs, PRs
created per hour and a ton more options. Dependency updates can cause a
PR immediately or at any schedule that's needed - even configured down
to the level of individual dependencies.
It can approve PRs automatically and enable automerge. Those can also
be
configured individually. Similarly the the kind of version bump
(major/minor/patch) that requires manual approval over automatic
approval + automerge.
Thinking a bit ahead in time - when (if) there are multiple version
branches to maintain (e.g. branches for version 1.x, 1.1.x, 2.x, etc):
With Renovate it's possible to get dependency updates even for those
version branches - "down-scoped" to patch-version bumps only, if
configured that way. This could be used to get all the patch version
dependency updates in version branches automatically.
The dependency dashboard (example: [3]) that Renovate opens as a GitHub
issue, provides a concise overview of dependencies that are scheduled,
have been manually edited, are currently open or are ignored/blocked
(by
closing the PR, to re-create the PR).
## Dependabot
Dependabot supports less "ecosystems", but probably enough for Polaris.
Historically, Dependabot didn't do a good job with Gradle version
catalogs, but the situation might have improved since the last time I
checked it.
Overall, compared to Renovate, it has IMO limited flexibility. It seems
(I never tried it) that the flexibility especially for multiple
"managed
branches" is not that flexible, if present at all.
What's your opinion on this topic?
Robert
[1] https://docs.renovatebot.com/
[2] https://docs.renovatebot.com/modules/manager/
[3] https://github.com/projectnessie/nessie/issues/5255
[4]
https://github.com/projectnessie/nessie/blob/main/.github/renovate.json5
--
Robert Stupp
@snazy
--
Robert Stupp
@snazy
