Open david-allison opened 2 years ago
mikehardy
commented
2 years ago https://www.whitesourcesoftware.com/free-developer-tools/renovate/
Example (and where I've watched it work):
david-allison
commented
2 years ago From trust: I'm sold.
For documentation: what are the pain points that this should fix that we currently have with dependabot?
mikehardy
commented
2 years ago With dependabot, if you fork a repo, the fork runs dependabot with no way to turn it off, so your fork repo gets dependency update PRs, which is very irritating. Renovate may be disabled for forks and comes up frequently on the related "dependabot should allow disable for forks" feature request in dependabot fora
This is actually a big deal for me, I hate having skew between my fork and upstream on main branch
With renovate you have broader support for more package ecosystems, https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem - this used to be a bigger deal but it looks like it has all the ones that matter at the moment. For react-native it doesn't do cocoapods so that's relevant to me (and thus, of value here, motivates me to commit to care and feeding of renovate) but not as relevant here
mikehardy
commented
2 years ago The new way to do dependency management, with a single version catalog outside (then referenced by) your build files is "Version Catalogs" in Gradle (a https://docs.gradle.org/current/userguide/platforms.html#sub:conventional-dependencies-toml - libs.versions.toml file)
Dependabot does not support and does not have it on their roadmap even https://github.com/dependabot/dependabot-core/issues/3121
Renovate supports https://github.com/renovatebot/renovate/issues/8692#issuecomment-911897526
github-actions[bot]
commented
2 years ago Hello 👋, this issue has been opened for more than 2 months with no activity on it. If the issue is still here, please keep in mind that we need community support and help to fix it! Just comment something like still searching for solutions and if you found one, please open a pull request! You have 7 days until this gets closed automatically
mikehardy
commented
2 years ago How time flies :-)
david-allison
commented
2 years ago I currently find it difficult to understand why a dependency was added because there's a lot of line noise: 1 change for each time the dependency is updated. This is why I proposed dependencies.gradle
Looking at the output of package.json: [link] the version numbers and packages seem to be on the same line, which means this doesn't seem to resolve my (minor) issue.
I'm ambivalent to Rennovate, and my concern is a minor one. Does this paint us into a corner where the above issue is harder to solve?
mikehardy
commented
2 years ago libs.version.toml + renovate is the state of the art, and solves these things all at once:
This is for Gradle builds only though. Package.json is the javascript ecosystem and would need a different solution
mikehardy
commented
1 year ago A note on this one related to investigation on gradle-update-wrapper failing over on Anki-Android-Backend:
DEPRECATED: Use Renovate bot to get PRs for gradle wrapper and dependencies
https://github.com/rahulsom/gradle-up
gradle-update-wrapper is dead but still in use here and on Anki-Android-Backend, apparently renovate handles updating the gradle wrapper as well, which would be an added bonus of a switch to renovate
I've been thinking of switching to renovate at same time, how about this as a separate issue - peel if you agree, I made the first sentence a good title
Renovate because it handles more ecosystems (Backend uses so many...) and it's open source and we're not super wedded to dependabot so it won't be hard to untangle. I've seen renovate in action on ACRA and it works well, plus you can disable it on forked repos (bonus, my fork's main branch won't have skew from main repo to turn off dependabot!)
_Originally posted by @mikehardy in https://github.com/ankidroid/Anki-Android/pull/11096#discussion_r858093048_
While we're here, we should also use version catalogs