add dependabot config script #107
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: DavidSpek The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @Jeffwan |
|
@davidspek I don't quite understand the purpose here. I think pipeline has many 3rd dependencies. However, other projects like training operators they only use go and python(SDK). Currently, it's not a problem for Prow to infer the reviewer. What's the benefit to adopt this script? |
|
@Jeffwan The script is not so much to assign the reviewers and approvers, but more to configure dependabot so that it functions properly and knows what folders to scan for what dependencies. Along with that, dependabot also gives security alerts for dependencies with security vulnerabilities. By merging this PR, dependabot can open PRs when there are dependencies that need updating. For example, this repo has 9 dependencies that can/need to be updated. https://github.com/DavidSpek/common/pulls |
|
@davidspek Right. The scripts seems to generate |
|
@Jeffwan Is it a problem that dependabot assigns the approvers and reviewers? The functionality can easily be removed, but it does cause the script to be different that in the other repositories. At the moment, the same script is used in every repository. |
|
I am holding the PR to have some control over when it gets merged so that the optional test infra doesn't get overloaded if all the repo's were to merge this at the same time. |
@davidspek I feel like this is redundant. but I agree if community adopt this solution, we should try to make them consistent. Can you do a rebase? master has the license header change and travis CI will succeed then |
|
@Jeffwan I just did a rebase. I am about to discuss dependabot and the way forward in the Community Call in 45 minutes, as for different repo's the volume of PRs seems to be an issue. However, given the few PRs that are created in this repo, I'd say it is alright to merge as it can also easily be removed or changed if there ends up being a different solution (such as self hosting dependabot) in the future. Then at least this repo can already start having the dependencies updated which will reduce the load in the future. |
Inspired by kubeflow/pipelines#4682 I created a script that will create a config file for depandabot so that it knows what directories to scan. It will scan the repository for files named
*ockerfile*,package*.json,*requirements.txtandgo.*. It is setup for dockerfiles, npm packages, pip dependencies and gomod at the moment. It is trivial to further customize what folders are selected if further customization is needed. It also parses the closestOWNERSfile for a given dependency listing file, and assigns the relevant approvers and adds the relevant reviewers to the PRs it creates.This is a sibling PR to kubeflow/pipelines#5015, kubeflow/kubeflow#5542, kserve/kserve#1309, kubeflow/arena#403, kubeflow/testing#855, kubeflow/fairing#550, kubeflow/kfp-tekton#432, kubeflow/katib#1420, kubeflow/training-operator#1224, kubeflow/kfp-tekton-backend#28, kubeflow/mpi-operator#319, kubeflow/pytorch-operator#315, kubeflow/metadata#255, kubeflow/xgboost-operator#107, kubeflow/fate-operator#26, kubeflow/mxnet-operator#87, kubeflow/website#2459, kubeflow/kfctl#479, kubeflow/examples#843, kubeflow/code-intelligence#198 and GoogleCloudPlatform/kubeflow-distribution#192.
As it stands now, there will be about 9 PRs that will be created with this configuration.
For reference, the PRs that will be created can be found here: https://github.com/DavidSpek/common/pulls