dzucconi
commented
3 years ago Love the idea of a rotation and have heard good things about depfu.
Closed kajatiger closed 3 years ago
dzucconi
commented
3 years ago Love the idea of a rotation and have heard good things about depfu.
damassi
commented
3 years ago @kajatiger - love the idea of a dep rotation; looking at force for example, or Palette, or any of our other web areas its clear things are very much out of date in places. Having a rotation like that would also help devs get more involved with the tooling aspect of our codebases.
However! That part of this RFC should be a separate RFC just because its a significant process switch, and in regards to DepFu, there's a lot to talk about as we already have some competing dep managers in place.
Do you think you could break this into two RFCs?
kajatiger
commented
3 years ago Okay @damassi thanks for your suggestion. I split the RFCs in two now and it does make more sense to discuss things separately.
pvinis
commented
3 years ago Since renovate (in the repos it is active on) works, but I agree it can be hard to configure, I'd like to try depfu and see how it feels as well. Eigen has renovate with a bunch of stuff disabled, which is not helping. I could add depfu on echo, which is much smaller, and help compare too. 🤔
mdole
commented
3 years ago Cool! Definitely like the idea of having consistent, easy-to-understand dependency updates for all of Artsy's repos.
Something I think this RFC should cover: how much would Depfu cost for Artsy? And how much work would it take to set up and maintain?
damassi
commented
3 years ago Does it cover languages other than Ruby?
If this RFC is accepted it might be good to outline a full migration path in the resolution section, and loop in some repo maintainers to help things along.
kajatiger
commented
3 years ago Depfu covers all Ruby, JS and Elixir projects.
joeyAghion
commented
3 years ago Can you clarify how you mean that Dependabot's not configurable? It seems similar in most respects.
I'm not married to Dependabot, but do see a lot of value in being consistent across repositories. I wouldn't want something as foundational as dependency management to vary without good reasons.
icirellik
commented
3 years ago kajatiger
commented
3 years ago Thank you @icirellik ! I still find the dependabot config a bit counter intuitive and also from our configurations now it is conflicting with the other RFC about a rotating depency update routine. But I guess this can be discussed individually on a team level and repo level. In order to gain some insight on how to configure dependabot there are documentations here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates
So sadly closing this RFC now.
We decided to leave things as they are.
5: Unclear Resolution.
Some people were in favor of it, but some people did not see the benefits of the change.
We will stick to dependabot.
None
Proposal:
Let's use Depfu for automated dependency updates and configure them in a way that they will auto merge minor changes (if CI is green) and only require a review/ manual merge from a human when there are breaking changes and major version updates.
Reasoning
Examples for Configuration per Repository
Examples for Configurations on the whole account
Exceptions:
If a team is already very used to updating with renovate and their repos seem up to date on everything, they may keep their workflow with that tool on the repository that they work with.
Additional Context:
Looks like dependabot preview is also not maintained anymore. There is another RFC split from here: #401
How is this RFC resolved?
Resolved when every team has made a decision about this and committed to one working (‼️) method to keep their dependencies up to date regularly.