Hi, All.
Since ORC-860, the Apache ORC community started to use
GitHub Action `Dependabot` to get weekly notifications
and automated testing.
- https://github.com/apache/orc/pull/762
We have three goals:
- Keep ORC community up-to-date
- Removing the burden of new dependency monitoring.
- Convert the implicit knowledge about incompatibility to
the community-wide explicit one via `dependabot.yml`
Although the generated PRs have rich information,
those PRs are not merge-able directly. The following
is the general idea how to handle them.
1. The committers should verify the real changes and
compatibility of dependencies.
2. After (1), we can make 4 decisions.
2.1. Make an official ORC JIRA issue to accept it
and update the PR title. After they become legit PRs,
you can approve and merge them.
Example: ORC-864
2.2. Make an official ORC JIRA issue to upgrade it
via a new PR. This is used when a big breaking change
is detected.
Example: ORC-865
2.3. Make an official ORC JIRA issue to reject it and
pin the version. The committers should make a new
pinning PR independently and add a commit message
like `Closes #xxx` where xxx is the ID of the dependabot
-generated PR. After making pinning PRs, you need to
follow a normal review and merge process.
Example: ORC-868, ORC-869
2.4. Ignore the dependency temporarily.
You can comment `@dependabot ignore this dependency`
Example: https://github.com/apache/orc/pull/780
(Bump min.hadoop.version from 2.2.0 to 3.3.1 in /java)
`Dependabot` is a new helper for us. Please feel free to share
your opinion about how to utilize it for the ORC community.
Thanks,
Dongjoon.
