deploy dependabot submodule version update github action across repos #63
Comments
|
not surprising but means definitely don't deploy this to repo's w/o submodules: |
|
Thanks for setting this up, Kevin. What's your thoughts on how to deploy?
Can we do it selectively, or omit some repositories?
…On Wed, Dec 4, 2024 at 6:01 PM Kevin Broch ***@***.***> wrote:
not surprising but means definitely don't deploy this to repo's w/o
submodules:
https://github.com/riscv-admin/docs-sig/network/updates/927327612
image.png (view on web)
<https://github.com/user-attachments/assets/33dd042f-8bde-4185-9928-688a6808f33b>
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZFSRW6RGF3MLVSD2MD2D6CUTAVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJYG4ZTCMZXHE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Yes, I will selectively apply based on whether repo has a |
|
Deployment was a bit more involved as I needed to fork the projects as I am not a maintainer on almost all of them. I was able to use After that I just had to define another "downstream" remote of the forks and push to that. For the creation of the PR's I just clicked on the "Create pull request links" and created them manually in the web browser. |
|
Awesome, what's the run frequency of dependabot? Does it monitor the
submodule repo for changes?
…On Tue, Dec 10, 2024 at 10:47 AM Kevin Broch ***@***.***> wrote:
Deployment was a bit more involved as I needed to fork the projects as I
am not a maintainer on almost all of them. I was able to use gh to
automate that. NOTE: gh said I had to fork to an "org" not an "user" but
luckily, but that's wasn't hard to just create an org.
After that I just had to define another "downstream" remote of the forks
and push to that.
For the creation of the PR's I just clicked on the "Create pull request
links" and created them manually in the web browser.
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZANE6I2ABYHN7SJKSL2E4EINAVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZSGEYTEMBVG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Run frequency is daily: https://github.com/riscv/docs-spec-template/blob/main/.github/dependabot.yml#L8 Yes, once dependabot.yml file is in place and dependabot settings are enabled, it will run, and generate a PR if the existing submodule ref(s) are behind. ex: riscv/sig-functional-safety-whitepaper#2 Do you think the owners of the orgs should just enable it for everyone? If not, might need to announce to repo owners to do it in order to to see the change. |
|
Ideally everyone should be using the latest docs-resources, however some
folks may have a dependency on old versions due to constraints on their
content, such as tables with lots of columns and small fonts, etc.
Can I manually trigger dependabot to update the docs-resources by
re-running the job?
…On Tue, Dec 10, 2024 at 4:31 PM Kevin Broch ***@***.***> wrote:
Awesome, what's the run frequency of dependabot? Does it monitor the
submodule repo for changes?
Run frequency is daily:
https://github.com/riscv/docs-spec-template/blob/main/.github/dependabot.yml#L8
Yes, once dependabot.yml file is in place and dependabot settings are
enabled, it will run, and generate a PR if the existing submodule ref(s)
are behind. ex: riscv/sig-functional-safety-whitepaper#2
<riscv/sig-functional-safety-whitepaper#2>
Do you think the owners of the orgs should just enable it
<https://docs.github.com/en/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization#applying-the-github-recommended-security-configuration-to-all-repositories-in-your-organization>
for everyone? If not, might need to announce to repo owners to do it in
order to to see the change.
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZF77FKR744WLAM7STL2E5MS7AVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZSHEZTGMJVGU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Haven't tried that. Let me know if it works :) |
|
Yep, you can. Goto Insights -> Dependency Graph -> Dependabot tab -> click
check for updates.
…On Tue, Dec 10, 2024 at 4:53 PM Kevin Broch ***@***.***> wrote:
Can I manually trigger dependabot to update the docs-resources by
re-running the job?
Haven't tried that. Let me know if it works :)
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZB4BEDWKGKMCASUOYL2E5PGFAVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZSHE4DCNRWGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Can we utilize repo to add or update .github/release.yml? Christian Herber
rightfully pointed out to me that dependabot may pollute the changelogs. This
can be prevented, by blocking the author dependabot from the changelog
https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
I.e. add a .github/release.yml, with changelog.exclude.authors set to
dependabot.
…On Tue, Dec 10, 2024 at 4:55 PM Bill Traynor ***@***.***> wrote:
Yep, you can. Goto Insights -> Dependency Graph -> Dependabot tab ->
click check for updates.
On Tue, Dec 10, 2024 at 4:53 PM Kevin Broch ***@***.***>
wrote:
> Can I manually trigger dependabot to update the docs-resources by
> re-running the job?
>
> Haven't tried that. Let me know if it works :)
>
> —
> Reply to this email directly, view it on GitHub
> <#63 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAAN6ZB4BEDWKGKMCASUOYL2E5PGFAVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZSHE4DCNRWGY>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
|
I don't see many/any projects that would be affected by this. Seems like it can wait till it actually becomes a problem. |
|
The ISA manuals would be hit by this, I think.
…On Wed, Dec 11, 2024 at 12:29 PM Kevin Broch ***@***.***> wrote:
Can we utilize repo to add or update .github/release.yml? Christian Herber
rightfully pointed out to me that dependabot may pollute the changelogs.
This can be prevented, by blocking the author dependabot from the changelog
https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
I.e. add a .github/release.yml, with changelog.exclude.authors set to
dependabot.
I don't see many/any projects that would be affected by this. Seems like
it can wait till it actually becomes a problem.
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZBAOBMMKVN6HIK5VDL2FBY7HAVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZWGY2DAMBSG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
relates to riscv-admin/docs-sig#63 Signed-off-by: Kevin Broch <[email protected]>
Here's the first instance of this. I'll leave it to the maintainers of isa to decide if this "pollutes" the changelog. IMO it is good to see this change occurred as it could have real impact on the resulting release. |
|
I went ahead and merged the last change to docs-resources. My thinking is
there shouldn't be that many updates to docs-resources, so the changelogs
shouldn't be hit too hard.
…On Mon, Dec 16, 2024 at 2:16 PM Kevin Broch ***@***.***> wrote:
The ISA manuals would be hit by this, I think.
Here's the first instance of this
<https://github.com/riscv/riscv-isa-manual/releases/tag/riscv-isa-release-067b86b-2024-12-16>.
I'll leave it to the maintainers of isa to decide if this "pollutes" the
changelog. IMO it is good to see this change occurred as it could have real
impact on the resulting release.
—
Reply to this email directly, view it on GitHub
<#63 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAN6ZDSQH2ZY5YXGD2OPB32F4RJ3AVCNFSM6AAAAABS7CR426VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBWGQZTMNJUHA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Why
Discussed in doc-sig meeting today as an automation step to ease maintenance of repos using submodules. (mostly docs-resources repo)
There's not really a downside to this. Maintainers of the repo can choose whether to merge the dependabot PR but at least with this enabled they will be aware of the change and can simple accept the PR to include it.
Also at least for repos generating extension documentation that will end up in the isa-manual repo, they will see those changes there anyways, so probably better to get ahead of them.
Stat's relating to this
Currently here's the repos using dependabot:
Here's number of repos that could benefit from it:
NOTE: riscv-android-src excluded
Implementation
dependabot.ymlto repos that can benefitrepo foreachto map upstream remote to cherry-pick commit from and push to PRThe text was updated successfully, but these errors were encountered: