kubernetes-sigs / krew-index

Plugin index for https://github.com/kubernetes-sigs/krew. This repo is for plugin maintainers.
https://krew.sigs.k8s.io
Apache License 2.0
636 stars 489 forks source link

make version bump easier for plugin maintainers #270

Closed rajatjindal closed 4 years ago

rajatjindal commented 5 years ago

This issue is to continue discussion on using krew-plugin-release (or alternate) for auto-bumping the version in krew-index on a new release.

the original discussion can be found here: https://github.com/kubernetes-sigs/krew-index/pull/267

rajatjindal commented 5 years ago

so options that we have considered to far are:

  1. move krew-plugin-release ownership to krew team
  2. implement a bot user `krew-plugin-release-bot', which listens for events and submit PR's on behalf of user. (but fork of krew-index is done/owned by the bot, so enduser do not have to give fork/commit permissions to the github action)
  3. May be a webservice owned/managed by krew team that listens for release events (using github events), and auto-bump the version in krew-index.

more suggestions/alternates are welcome.

ahmetb commented 5 years ago
  • move krew-plugin-release ownership to krew team

Is the concern here that the owner of this repo potentially can extradite your GitHub token?

  • Implement a bot user `krew-plugin-release-bot', which listens for events and submit PR's on behalf of user. (but fork of krew-index is done/owned by the bot, so enduser do not have to give fork/commit permissions to the github action)
  • May be a webservice owned/managed by krew team that listens for release events (using github events), and auto-bump the version in krew-index.

Instead we've been thinking of this:

What do you think of this?

rajatjindal commented 5 years ago

The concern Chris had was if owner of krew-plugin-release turns out to be malicious, the token is quite powerful to cause damage. (which is a valid concern in my opinion).

that works too đź‘Ť

if we have a place to host a webservice, it might be easier and more efficient to do it based on a push notification.

ahmetb commented 5 years ago

So let's call "daily scanning of source repos for new stable releases" option 1.

Option 2: Write a public webhook that receives "tag" events from plugin repositories (plugin author must configure). When a valid event is received, the webhook would find the which plugin(s) are associated with that repo, and use a simple string replacement to prepare a patch. The patch then is sent as a PR to this repo by a "bot account" on GitHub (only to be auto-approved and merged without human intervention).

grzesuav commented 5 years ago

I just copy my previous comment: There is a general purpose tool for that, which is pretty extensible : https://github.com/renovatebot/renovate/ I would suggest to try to extend it. I do not know in details how it work, but generally there are two parts to write :

provider - some source of artifacts and versions detector - part which scans for file patterns (like plugin files) and is able to extract version used here Having those two, renovate compares the version and proposes a PR to update once newer version is found. It is mature tool and used across many companies and os projects

ahmetb commented 5 years ago

@grzesuav the fact that it's written in JS/TS is going to be a productivity blocker. I don't know if we (as Krew/k8s maintainer ecosystem) can maintain something like this. For me personally, it'll be an uphill battle.

If you have any expertise with it, we'd love to have you present it at a SIG meeting or something like that. I've scanned their docs and it's unclear to me where the "provider" and the "detector" lives and how they're authored.

grzesuav commented 5 years ago

@ahmetb the idea is that you do not need - you just add renovate bot access to your repository and configure it. I can make an issue report there to assess how difficult would be to add support to krew specific plugin files.

ahmetb commented 5 years ago

@grzesuav if you can follow up on that, that would be great. There's a bit of hesitation to give additional bots access in repositories, if it can operate on OSS repos through PRs that would be much better. In addition, we've heard from plugin developers that they don't want to give additional bots/apps access (to make a krew PR when there's a new tag etc).

grzesuav commented 5 years ago

Asked on their issue tracker : https://github.com/renovatebot/renovate/issues/4769

@ahmetb usual flow is that you give renovate bot developer access to repository (example : https://gitlab.com/grzesuav/kubectl-mtail/-/project_members) and then it watches for version updates and propose a PR : https://gitlab.com/grzesuav/kubectl-mtail/merge_requests/20/

ahmetb commented 5 years ago

Yeah I don’t think that’s going to work well for us each repo owner needs to install it. Instead we can scrape all repos and daily/hourly create PRs automatically to bump.

ahmetb commented 5 years ago

Thanks for investigating though. Really appreciate it.

grzesuav commented 5 years ago

@ahmetb but the repo owner do not need to install it. It would be needed only in this repository. I shown you my example, when I use it to bump version of docker images used in my gitlab-ci. The renovate scans various places (dockerhub, maven repo, npm repo) detects new version and proposes a upgrade.

ahmetb commented 5 years ago

Ahha, sorry I got confused heavily by GitLab's UI. This sounds doable, though it would be really good if it required no access at all so we could directly enable it. It seems like I'd have to get permission from SIG CLI to install this to our org. Do you know for their GitHub integration it's a read-only permission or RW?

grzesuav commented 5 years ago

https://docs.renovatebot.com/data-security/#github-permissions

grzesuav commented 5 years ago

it seems write permissions are needed, but they mention https://github.com/apps/forking-renovate which need only read permissions

ahmetb commented 5 years ago

Thanks. I'm nearly sure write permissions won't fly in this org. That's why Forking Renovate sounds promising. If it's ready for use, and you have some familiarity with JS, it's worth prototyping. I can't personally write JS beyond jquery. :)

Another concern would be that the project is backed by a commercial entity, so a solution that we write ourselves here has a chance of outliving the tool.

Similarly, I suspect Krew will have "custom needs", such as waiting for a while before auto-updating to a new release (because maybe the manifest owner needs to make a change with the new version). Every time we have a case we'll end up customizing the Renovate code for Krew (in the upstream?).

/cc @corneliusweig

grzesuav commented 5 years ago
  1. I not JS programmer either, but I believe with help of someone more familiar with renovate I can give a try, no promises though. Anyway I think approach in generalized form (not focusing on krew yamls, jut making it customizable) is a nice feature and probably will be useful also for others.

  2. I believe that then someone else will fork the project. It is really good and widely used, with no real alternative I am aware of.

  3. Renovate is easily customizable, via , renovate.json (https://gitlab.com/grzesuav/kubectl-mtail/blob/master/renovate.json) and have a lot of config options - I believe most of useful ones were implemented or have been requested. Would be best to evaluate special needs and cross check with documentation if they are present.

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

corneliusweig commented 4 years ago

I think krew-release-bot has already shown its usefulness. It is already documented as a good way to update plugin manifests in our contribution guidelines. So it's time to close this issue.

Issues about release-bot should be opened here https://github.com/rajatjindal/krew-release-bot.

/close

k8s-ci-robot commented 4 years ago

@corneliusweig: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/krew-index/issues/270#issuecomment-582606055): >I think `krew-release-bot` has already shown its usefulness. It is already documented as a good way to update plugin manifests in our contribution guidelines. So it's time to close this issue. > >Issues about release-bot should be opened here https://github.com/rajatjindal/krew-release-bot. > >/close > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.