On Thu, Jun 24, 2021 at 5:27 AM Artem Smotrakov <artem.smotra...@gmail.com> wrote: > > I think GitHub Action works pretty well. In addition, there are many useful > actions that may be helpful. In particular, GitHub Actions can run CodeQL > scans (static analysis checks), and report findings (including security ones) > right in a pull request. I can add a config for CodeQL if you find it useful.
I think CodeQL could be useful, my one concern with static analysis tools is that sometimes there is noise and over time managing overrides can become a bigger task. But availability of reports to check every now and then is useful, especially if the false positive rate is low. Somewhat related, Jackson-databind has the settings for old LGTM analysis (lgtm.yml), and that was useful in finding couple of things to fix (but also had warnings to disable). So I'd be happy to get such a config, starting with maybe one project (jackson-core or jackson-databind f.ex) first? -+ Tatu +- > > Artem > > On Wed, Jun 23, 2021 at 10:59 PM Tatu Saloranta <t...@fasterxml.com> wrote: >> >> Looks like Travis-CI transition from .org to .com is now hitting us; >> no CI build has succeeded for the past 15 days. While I did change >> settings which should give us some free builds per month, I don't >> think those 10,000 credits are enough for all Jackson components (not >> even sure it'd cover jackson-databind). >> While I understand that the business side of this may be necessary for >> Travis the company, it means that either Jackson project would need to >> pay up, or, perhaps, we should consider moving to something like >> Github Actions. >> As G.A seems to be picking momentum, that seems like a reasonable >> idea, but it is a new system for me and I would need some help. >> >> On migration: Jackson builds are rather simple, and aside from >> optimization aspects (if there are ways to cache Maven deps, f.ex), >> the only advanced part in Travis was the automatic publishing of >> SNAPSHOT versions. And that is/was tricky just due to auth tokens. So >> perhaps migration would not be horribly complicated. >> >> Also... this might make it easier to consider dependency builds: so >> that, for example, build of `jackson-core` (of certain branch) could >> trigger cascading build of its dependencies (`jackson-databind`, most >> modules). >> Even if this was not fully automatic -- that is, we'd need to do some >> static configuration -- it could be useful in exposing issues that >> currently are not immediately apparent. >> Or, possibly we could simply force daily/weekly rebuilds of a set of >> repos (base modules, 3 dataformat repos) which should also catch >> cross-version compatibility issues. >> >> -+ Tatu +- >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jackson-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jackson-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-dev/CAL4a10jimXsSZxHC80bwOEfnZjFS8PN6OMWwnRXvdpekehqaRw%40mail.gmail.com. > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CANu7eQEOxsXq1oXwT7HrkWnecL%2BoS%3DNx%3De%3Db%3DS2rVXmue4YMjQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10jZp7NJNBD%2BmjhzhuegXgxpBKw96kN-t3uy0wmtO0j%3Drg%40mail.gmail.com.
