Since I opened this discussion ~1 month ago I had the time to revisit the process and my 'new' conclusion is that self merging is probably going too much into automation at this point. I updated the dependency updates to run once per week and merged most of the Java PRs, so it should be less noise starting from now. So let's better not do this, other ecosystems change but it is not as fast as was worried about.
We have however many open PRs for Ruby, C# and JS, so if any of the contributors can sit and help with reviews/merges it would be great. Notice that the JS case in particular requires probably to sync the dependency updates because of conflicts between dependencies. On Mon, Jan 4, 2021 at 11:59 AM Ismaël Mejía <[email protected]> wrote: > > We enabled recently dependabot to automate dependency upgrades [1]. Results so > far seem good including having new CVEs alerts! > > Maybe we could automate further by auto merging the PRs given some conditions > like a whitelist of dependencies that are now stable enough and when tests are > green we shall not have problems. > > It seems github now has an option to do this [2] so I was wondering what other > members of the community thought and if you see any possible issue/drawbacks > before starting any work on this. > > [1] > https://lists.apache.org/thread.html/r2a175f8b96dd7a5533336cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E > [2] > https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request
