Start schedule-triggered supply-chain review #46
Conversation
ajnelson-nist
force-pushed
the
start_scheduled_supply_chain_review
branch
from
5311cdb to
20a1dbf
Compare
Disclaimer: Participation by NIST in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that any specific software is necessarily the best available for the purpose. Signed-off-by: Alex Nelson <[email protected]>
ajnelson-nist
force-pushed
the
start_scheduled_supply_chain_review
branch
from
20a1dbf to
7b1fdb3
Compare
|
@simsong , I'd appreciate your review and merge, particularly because this PR sets up an email-generator. |
|
This tests on Python 3.8, which is EOL in Oct 2024. I think that we should update the tests to be Python 3.9 and Python 3.13. What do you think? |
| - '3.8' | ||
| - '3.9' |
There was a problem hiding this comment.
Why 3.8 and 3.9 and not 3.9 and 3.13?
There was a problem hiding this comment.
Paralleling current CI.
I agree, but I'll handle that in another PR. Some type signature details might change from Python stdlib deprecations, I haven't checked yet. |
Apologies - I agree with bumps to expand tested Python versions to non-EOL (floor) and non-Beta (ceiling) releases. I've found reasons in the past to keep this as open as possible back in time. |
|
Merging with approval. Thanks, @simsong ! |
This PR implements a dependency freshness review for the currently-used static type review tool, which is incorporated by reference without version pinning.
An advantage of not pinning a version is every fresh run of CI will use the most up to date version of all dependencies.
A disadvantage of not pinning a version is tool behaviors may change, triggering unexpected events. (This is not a criticism of any tool - major-version revisions and backwards incompatibitilites are just a fact of life.)
This repository had not had CI running on a schedule, so several needed updates had quietly queued up. This PR enables scheduled CI checks, not for the entirety of the test suite, but instead for a portion of the test suite that may change behavior without action from this repository's maintainers.
This PR adds the framework for calling a Make target
check-supply-chain. This design pattern has been used in several repositories in the Cyber Domain Ontology to keep dependencies refreshed with automated assistance. A reference link to the CDO project release flow has in its technical background a recipe for Git submodule supply chain review. While the Git submodule recipe won't be included in this PR, the benefit of an automated dependency review practice is relevant to this PR.This PR is also filed with the intent of laying groundwork for a follow-on PR that will start adding Python formatting mechanisms, and checking them on a schedule as well as part of the supply chain review. That's left for later to separate code-formatting discussion from automated-review discussion.
Impact on maintenance: Every now and then, a scheduled CI job will fail because of some dependency changing a behavior (likely from a major-version update). The resolution to this event is intentionally left for manual revision. In the case of this first recipe for type review, either some type signature would need updating, or the tool call pattern would need adjustment (as done in PR 44).
References
check-supply-chainrecipe (permalink to today's state) - noted for some other potential scheduled-review topics, including code formatters (usingpre-commit) and Git submodules.Disclaimer
Participation by NIST in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that any specific software is necessarily the best available for the purpose.