I like the idea of using the Scala Stewart bot to keep Daffodil's library dependencies and sbt plugins up-to-date very much. In fact, I noticed two more benefits you didn't mention due to a significant part of the Scala ecosystem already using the Scala Stewart bot:
[1] https://github.com/scala-steward-org/scala-steward/blob/master/docs/scalafix-migrations.md Some Scala libraries have written Scalafix rewrite rules for certain version updates which require code changes in addition to bumps in version numbers. If the bot knows about these rules (there's a config file contributors already have added to), the bot can automatically rewrite code that would not compile with the new version of the dependency. [2] https://github.com/scala-steward-org/scala-steward/blob/master/docs/artifact-migrations.md Some dependencies change their group ids, artifact ids, or both, across some version updates. If the bot knows about these artifact migration rules (again, there's a config file contributors already have added to), the bot can migrate dependencies to newer versions with different group/artifact ids automatically. We can add Daffodil migration rules to this config file ourselves if we change our Daffodil modules' names in the future. As Mike said, we need to take precautions against software supply chain hacks. The bot signs commits with a PGP key which has a known fingerprint and can be found at a known URL. Even if we can automate that signature check, we still should require two committers to review and approve each pull request (while manually updating files like bin.NOTICE by pushing another commit to the pull request, making sure to squash commits) before we merge the bot's pull requests. I agree that we're safer reviewing each dependency update one at a time (making sure to wait for CI checks to pass) than batching them together in warehouse-size chunks too. FYI, the bot makes version bumps conservatively. If there are newer patch, minor, and major versions available, the bot will propose an update to the latest patch version at the same major and minor version. If the dependency is on the latest patch version next time, then the bot will propose an update to the latest minor version at the same major version. Only when the dependency is on the latest minor version at the same major version, does the bot finally propose an update to the latest major version. FYI, once we merge a dependency update, the bot may send us another pull request making another update for the same dependency but it's a good thing to be conservative like that. John -----Original Message----- From: Steve Lawrence <slawre...@apache.org> Sent: Thursday, March 4, 2021 1:10 PM To: dev@daffodil.apache.org Subject: EXT: Scala Steward for dependency updates? I just stumbled across Scala Steward [1]. From their website, "Scala Steward is a bot that helps you keep library dependencies and sbt plugins up-to-date." This bot periodical checks to see if there are any newer versions of dependencies, and if detected will create a pull request to update that dependency in the project/Dependencies.scala file. I've enabled it on my fork as a test, and it just created a bunch of pull requests, so you can see what it looks like at my fork: https://github.com/stevedlawrence/daffodil/pulls The benefit here is we can rely on this bot to keep our deps updated so we don't fall behind, and can rely on our GitHub actions to test if anything breaks for a particular dependency. So much of the process becomes automated. Some parts are still manual, like checking that the license for the dependency hasn't changed, and updating the bin.NOTICE file which mentions library versions, so there's still some work. But it it at least automates part of the process. It also has a config file if needed to do things like pin certain dependencies to a version if needed, configure pull request messages, etc. My fork above just uses the default configuration. If we do want to enable this, all we need to do is create a pull request to add "apache/daffodil" to to scala steward repo's file--pretty simple change. Thoughts? [1] https://github.com/scala-steward-org/scala-steward
