> So I'd be happy to get such a config, starting with maybe one project > (jackson-core or jackson-databind f.ex) first?
Okay, let's give it a try then. I'll submit a pull request for jackson-core or jackson-databind, and we'll see how it goes. In fact, LGTM is still alive, and yes it is based on CodeQL. I think LGTM provides a useful UI, metrics, etc, so I think it makes sense to keep the LGTM config despite CodeQL workflows. Artem On Thu, Jun 24, 2021 at 6:07 PM Tatu Saloranta <t...@fasterxml.com> wrote: > On Thu, Jun 24, 2021 at 5:27 AM Artem Smotrakov > <artem.smotra...@gmail.com> wrote: > > > > I think GitHub Action works pretty well. In addition, there are many > useful actions that may be helpful. In particular, GitHub Actions can run > CodeQL scans (static analysis checks), and report findings (including > security ones) right in a pull request. I can add a config for CodeQL if > you find it useful. > > I think CodeQL could be useful, my one concern with static analysis > tools is that sometimes there is noise and over time managing > overrides can become a bigger task. But availability of reports to > check every now and then is useful, especially if the false positive > rate is low. > Somewhat related, Jackson-databind has the settings for old LGTM > analysis (lgtm.yml), and that was useful in finding couple of things > to fix > (but also had warnings to disable). > > So I'd be happy to get such a config, starting with maybe one project > (jackson-core or jackson-databind f.ex) first? > > -+ Tatu +- > > > > > Artem > > > > On Wed, Jun 23, 2021 at 10:59 PM Tatu Saloranta <t...@fasterxml.com> > wrote: > >> > >> Looks like Travis-CI transition from .org to .com is now hitting us; > >> no CI build has succeeded for the past 15 days. While I did change > >> settings which should give us some free builds per month, I don't > >> think those 10,000 credits are enough for all Jackson components (not > >> even sure it'd cover jackson-databind). > >> While I understand that the business side of this may be necessary for > >> Travis the company, it means that either Jackson project would need to > >> pay up, or, perhaps, we should consider moving to something like > >> Github Actions. > >> As G.A seems to be picking momentum, that seems like a reasonable > >> idea, but it is a new system for me and I would need some help. > >> > >> On migration: Jackson builds are rather simple, and aside from > >> optimization aspects (if there are ways to cache Maven deps, f.ex), > >> the only advanced part in Travis was the automatic publishing of > >> SNAPSHOT versions. And that is/was tricky just due to auth tokens. So > >> perhaps migration would not be horribly complicated. > >> > >> Also... this might make it easier to consider dependency builds: so > >> that, for example, build of `jackson-core` (of certain branch) could > >> trigger cascading build of its dependencies (`jackson-databind`, most > >> modules). > >> Even if this was not fully automatic -- that is, we'd need to do some > >> static configuration -- it could be useful in exposing issues that > >> currently are not immediately apparent. > >> Or, possibly we could simply force daily/weekly rebuilds of a set of > >> repos (base modules, 3 dataformat repos) which should also catch > >> cross-version compatibility issues. > >> > >> -+ Tatu +- > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "jackson-dev" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to jackson-dev+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CAL4a10jimXsSZxHC80bwOEfnZjFS8PN6OMWwnRXvdpekehqaRw%40mail.gmail.com > . > > > > -- > > You received this message because you are subscribed to the Google > Groups "jackson-dev" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to jackson-dev+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CANu7eQEOxsXq1oXwT7HrkWnecL%2BoS%3DNx%3De%3Db%3DS2rVXmue4YMjQ%40mail.gmail.com > . > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CAL4a10jZp7NJNBD%2BmjhzhuegXgxpBKw96kN-t3uy0wmtO0j%3Drg%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CANu7eQGKQhQS8ZYD%2BHZtWH16ZbjJjMmtXDzzEq_cc_QiVq94rQ%40mail.gmail.com.
