Open FlorianHockmann opened 1 year ago
farodin91
commented
1 year ago The easiest way, I see would be to move the docker build process into the main repo. It would also other issues, such not automatically releases with release in the main repo or having main complexity maintain multiple version in one branch.
FlorianHockmann
commented
1 year ago I agree, moving the image into the main repo would really make our life easier. I've posted this on janusgraph-dev to get more visibility in case anyone has good reasons against that: https://lists.lfaidata.foundation/g/janusgraph-dev/message/1613
We already have automated code scanning in place for our Docker images. Unfortunately the results aren't very helpful right now as it's not possible to distinguish between alerts for the different images. We get results for the
1.0,0.6, and0.5image all together. The0.5image of course leads to a lot of alerts as we haven't published a new release on that branch in a long time. (We will probably drop support for that image in general soon.) This makes it hard to find alerts for the0.6and especially the1.0image where we usually shouldn't get many alerts right now, considering that most of our dependencies should be up-to-date there.This code scanning should make it possible to view results for the different images independent of another. It would also be good if we could fix the check for PRs so that it only fails if the PR introduces any new problems. But we can also create a separate issue for that if solving it is more complex.