On Fri, Jun 25, 2021 at 5:17 AM Artem Smotrakov <artem.smotra...@gmail.com> wrote:
> > So I'd be happy to get such a config, starting with maybe one project > > (jackson-core or jackson-databind f.ex) first? > > Okay, let's give it a try then. I'll submit a pull request for > jackson-core or jackson-databind, and we'll see how it goes. > Cool > > In fact, LGTM is still alive, and yes it is based on CodeQL. I think LGTM > provides a useful UI, metrics, etc, so I think it makes sense to keep the > LGTM config despite CodeQL workflows. > Yeah, it has the usual challenge of issues remaining being noise, but it did expose a few legit issues so it seems useful. -+ Tatu +- > > Artem > > On Thu, Jun 24, 2021 at 6:07 PM Tatu Saloranta <t...@fasterxml.com> wrote: > >> On Thu, Jun 24, 2021 at 5:27 AM Artem Smotrakov >> <artem.smotra...@gmail.com> wrote: >> > >> > I think GitHub Action works pretty well. In addition, there are many >> useful actions that may be helpful. In particular, GitHub Actions can run >> CodeQL scans (static analysis checks), and report findings (including >> security ones) right in a pull request. I can add a config for CodeQL if >> you find it useful. >> >> I think CodeQL could be useful, my one concern with static analysis >> tools is that sometimes there is noise and over time managing >> overrides can become a bigger task. But availability of reports to >> check every now and then is useful, especially if the false positive >> rate is low. >> Somewhat related, Jackson-databind has the settings for old LGTM >> analysis (lgtm.yml), and that was useful in finding couple of things >> to fix >> (but also had warnings to disable). >> >> So I'd be happy to get such a config, starting with maybe one project >> (jackson-core or jackson-databind f.ex) first? >> >> -+ Tatu +- >> >> > >> > Artem >> > >> > On Wed, Jun 23, 2021 at 10:59 PM Tatu Saloranta <t...@fasterxml.com> >> wrote: >> >> >> >> Looks like Travis-CI transition from .org to .com is now hitting us; >> >> no CI build has succeeded for the past 15 days. While I did change >> >> settings which should give us some free builds per month, I don't >> >> think those 10,000 credits are enough for all Jackson components (not >> >> even sure it'd cover jackson-databind). >> >> While I understand that the business side of this may be necessary for >> >> Travis the company, it means that either Jackson project would need to >> >> pay up, or, perhaps, we should consider moving to something like >> >> Github Actions. >> >> As G.A seems to be picking momentum, that seems like a reasonable >> >> idea, but it is a new system for me and I would need some help. >> >> >> >> On migration: Jackson builds are rather simple, and aside from >> >> optimization aspects (if there are ways to cache Maven deps, f.ex), >> >> the only advanced part in Travis was the automatic publishing of >> >> SNAPSHOT versions. And that is/was tricky just due to auth tokens. So >> >> perhaps migration would not be horribly complicated. >> >> >> >> Also... this might make it easier to consider dependency builds: so >> >> that, for example, build of `jackson-core` (of certain branch) could >> >> trigger cascading build of its dependencies (`jackson-databind`, most >> >> modules). >> >> Even if this was not fully automatic -- that is, we'd need to do some >> >> static configuration -- it could be useful in exposing issues that >> >> currently are not immediately apparent. >> >> Or, possibly we could simply force daily/weekly rebuilds of a set of >> >> repos (base modules, 3 dataformat repos) which should also catch >> >> cross-version compatibility issues. >> >> >> >> -+ Tatu +- >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups "jackson-dev" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to jackson-dev+unsubscr...@googlegroups.com. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-dev/CAL4a10jimXsSZxHC80bwOEfnZjFS8PN6OMWwnRXvdpekehqaRw%40mail.gmail.com >> . >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "jackson-dev" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to jackson-dev+unsubscr...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-dev/CANu7eQEOxsXq1oXwT7HrkWnecL%2BoS%3DNx%3De%3Db%3DS2rVXmue4YMjQ%40mail.gmail.com >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jackson-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jackson-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-dev/CAL4a10jZp7NJNBD%2BmjhzhuegXgxpBKw96kN-t3uy0wmtO0j%3Drg%40mail.gmail.com >> . >> > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CANu7eQGKQhQS8ZYD%2BHZtWH16ZbjJjMmtXDzzEq_cc_QiVq94rQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jackson-dev/CANu7eQGKQhQS8ZYD%2BHZtWH16ZbjJjMmtXDzzEq_cc_QiVq94rQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAGrxA271PYFwkvQuum%3DH2XYL7SNuOYbag7pjJUwEGY0k_iPxpw%40mail.gmail.com.
