stormqueen1990
commented
1 year ago Related: the need to bump the melange dependency has been documented here (perhaps not the correct place?)
Open vaikas opened 1 year ago
stormqueen1990
commented
1 year ago Related: the need to bump the melange dependency has been documented here (perhaps not the correct place?)
vaikas
commented
1 year ago Thank you!!! I totally missed it 🤣 I'm curious if there's a reason however if we can't make this automagic via dependabot so one doesn't have to do things manually. If we can't or don't want to do that though for some reason, at least I know now, and folks reviewing pipeline can remind of the need for this.
cpanato
commented
1 year ago afaik Dependabot will not update dependencies if that is not pinned and it is based on the main branch or other branches, it should have a tag on it
for example: https://github.com/wolfi-dev/wolfictl/pull/284 this was using the main branch and dependabot saw a tag and upgrade that.
we have a few options here: 1 - release or tag melange more often and then dependabot will do that job 1.1 - maybe have an automated job that tags melange daily... 2 - have some one to bump that in a certain cadence or ad hoc 3 - write an action that bumps melange automatically and open PR (this can be daily and ad hoc)
vaikas
commented
1 year ago I think from these comments I just wasn't aware of the fact that one needs to tag things if pipelines are changed. The document that @stormqueen1990 pointed to was great, but I just wasn't aware of it, so I missed it. Maybe it's just as simple as adding a little blurp into the PR that says, if you modify (I assume it's not only constrained to new pipelines, but any modifications to pipelines) you must tag after it's been merged.
Or, maybe a variation of 1.1 would be only tag if pipelines dir has been merged daily and tag it with something like YYYYMMDD.
I have no idea how hard the above would be to do, and I don't want to waste time on something that is sounding like just my missing of the documents.
Description
It was not immediately clear why some of the changes in melange made ~week ago were not showing up in the CI pipeline that was causing then some unexpected errors. Thanks to @joshrwolf debugging and fixing it here: https://github.com/wolfi-dev/wolfictl/pull/396
We should be getting a more up-to-date melange. This is especially important if new pipelines are added, like here: https://github.com/chainguard-dev/melange/pull/679
My expectation was that this would surface ~next day after all the propagations to dependabots, and digestabots, etc. and that clearly didn't happen here. Seems like if we could remove the manual step above, we'd be well on our way to not having to remember to manually bump things.
@cpanato would you mind taking a look at this and see if this could be sorted?