Check if dependencies in libs.versions.toml are the latest supported ones for JDK11

apache / iceberg

Apache Iceberg

https://iceberg.apache.org/

Apache License 2.0

6.53k stars 2.25k forks source link

Check if dependencies in libs.versions.toml are the latest supported ones for JDK11 #10852

Open nastra opened 4 months ago

nastra commented 4 months ago

Feature Request / Improvement

Our dependencies are managed by dependabot. However, dependabot always suggests the latest version of a dependency, without actually considering the JDK version. Iceberg is now running with JDK11+ and we should check all dependencies in libs.versions.toml whether they are at the latest version for that JDK.

Query engine

None

Willingness to contribute

[ ] I can contribute this improvement/feature independently
[ ] I would be willing to contribute this improvement/feature with guidance from the Iceberg community
[ ] I cannot contribute this improvement/feature at this time

imneerajsharma commented 3 months ago

Can I work on this issue?

nastra commented 3 months ago

@imneerajsharma yes sure, I'll assign it to you. Thanks

imneerajsharma commented 3 months ago

Hi team,

I’m working on the issue where Dependabot suggests updates without considering the JDK version used in our project. Since Iceberg is now running on JDK 11+, it’s important to ensure that our dependencies listed in libs.versions.toml are compatible with JDK 11 before any updates are suggested.

I propose creating a GitHub Action that:

Reads the JDK version specified in our build.gradle file.
Automatically checks if the dependencies listed in libs.versions.toml are compatible with this JDK version.
Ensures that Dependabot only suggests updates that are compatible with the JDK we’re currently using.

I’m a beginner contributor, so I’m keen to learn and would appreciate any feedback or guidance on this approach. Please let me know if this solution aligns with our needs or if there are any additional considerations or adjustments required.

Looking forward to your feedback.

nastra commented 3 months ago

@imneerajsharma thanks for looking into this. While 1 and 2 sound good, I don't think we can actually enforce 3 as I don't see any option to tell dependabot to only look for dependency upgrades for a given JDK (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)

imneerajsharma commented 3 months ago

Hi Team,

I’m working on automating compatibility checks for dependencies listed in libs.versions.toml with JDK 11. The main challenge I’m facing is identifying a reliable method to verify if each dependency version is compatible with JDK 11.

Currently, I’m using placeholder logic in my GitHub Action, but manual verification for each dependency is not feasible. Could you suggest any tools, APIs, or databases that could assist in automating this compatibility check?

Thank you for your assistance!

nastra commented 3 months ago

@imneerajsharma unfortunately I don't have a good suggestion in terms of tooling.