Bump shared-modules from `ca525ba` to `1673277`

[dependabot[bot]]

Bumps shared-modules from ca525ba to 1673277.

Commits

• 1673277 Extract zmusic and game-music-emu modules to be reused in Raze (#304)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[flathubbot]

Started test build 126062

[flathubbot]

Build 126062 successful To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/109024/org.gnome.Calls.flatpakref

[bbhtt]

Using dependabot and automerge for bumping shared-modules is not a valid reason. I see only intltool being used which barely receives any updates. https://github.com/flathub/shared-modules/tree/master/intltool Last update was 4 years ago.

https://github.com/flathub/org.gnome.Calls/blob/4b636a87d410dd19c75e77ed6ccfb16d43021114/org.gnome.Calls.yaml#L151

You don't need to update whole shared-modules. I'm disabling the merge on successful pipeline.

[darkdragon-001]

@bbhtt what is the problem with this setup of keeping dependencies up to date in order to get security fixes as quickly as possible?

I also don't have the time to manually update dependencies for all the apps I maintain. Outdated dependencies often ship documented vulnerabilities.

[bbhtt]

You are expected to test or at least review the incoming PRs. If the whole process was automated there would be no need for any human maintainer or submitter.

You don't need to make any PRs for updates. The bot makes them for you, you have to just review and merge. That's the least one can expect from a maintainer.

"Security updates" aren't so black and white. Not every update is a a security update but if every update is auto merged there is a risk that it can cause breakage to the app. Automation removes any possibility to catch it early before it is being pushed to the user.

Currently dependabot is being used to bump shared-modules and the app uses intltool which is not very security sensitive. Also bumping shared modules to every new commit is totally unnecessary.

[darkdragon-001]

@bbhtt the updates are reviewed by trusted Flathub maintainers when they make their way into shared-modules in the first place.

There are updates every other day ... for every module! This is more about a trust chain one has to establish. And believe me, updates do break the build often enough to require manual intervention! In contrast when the build with an updated dependency passed, I have only seen very few breakage as it is considered bad practice to change the behavior of an existing function without changing its interface.

[bbhtt]

Automerge for dependabot PRs for bumping shared modules is unnecessary when you only use intltool which received last update 4 years ago.

There is no need to bump the whole shared module submodule when intltool is not receiving any updates.

That won't be changing.

Automerge for x-checker bot PRs might be allowed on providing valid reasons. You have to request an exception for that (starting June 17 that is being blocked). https://docs.flathub.org/docs/for-app-authors/linter#flathub-json-automerge-enabled

[bbhtt]

It'd be willing to enable automerge for dependabot PRs if there is some security sensitive module from shared modules repo is actually being used (or in general if there's a legitimate need for it)

But that's not the case currently.

[darkdragon-001]

@bbhtt I guess the apps I maintain will stop receiving updates then.