Hi Misagh, it seems we have some consensus here, please go ahead and open an issue on
https://issues.apache.org/jira/browse/INFRA about this topic, thanks. Regards. On 11/12/19 15:13, Francesco Chicchiriccò wrote: > Hi Misagh, > renovatebot looks interesting and worth at least to explore the possibility > to add it at project's (rather than committer's level). > > +1 to go ahead and ask Infra team about it. > Regards. > > On 11/12/19 15:00, Misagh Moayyed wrote: >> Hey Team, >> >> I suspect most know about this sort of thing, but I thought to share this >> with you: >> https://github.com/renovatebot/renovate >> >> I think this is a useful tool to allow a Github project such as Syncope to >> automatically receive dependency updates and become self sufficient. It will >> attempt to parse the project's dependencies/pom and will then begin to issue >> pull requests with relevant updates. Its schedule, update policy and >> inclusion/exclusion rules can all be controlled via a .renovate JSON file. >> >> It can run in two ways: >> >> 1- As a GitHub app, which would be installed for the Apache org on Github >> and enabled for select repositories, such as Syncope. This option requires >> coordination/permission from Apache infra, and updates are then automatic. >> >> 2- As a CLI tool, where a committer's personal access token is passed as a >> command-line argument, and the tool can run as part of CI. This option >> probably does not require anything from Apache infra [?], and updates can be >> cancelled as part of the CI job that runs the tool. >> >> I am not sure what the CLA policy would be for bots; the second option >> probably [?] covers this, as PRs are issued on behalf of the committer whose >> AT is used. Either way, it seems like we need clarification from Apache >> infra. >> >> This is an example of a pull request by the bot: >> https://github.com/Jasig/uPortal/pull/1849 >> >> This is an example of the bot's JSON configuration file: >> https://github.com/Jasig/uPortal/blob/master/renovate.json >> >> How do you feel about this? Is this a good option to pursue and follow up? >> >> The bot also has the ability to rebase PRs, and can also take over the >> merging process automatically if CI passes or other rules allow. (At some >> point in the future, I think it will also gain the ability to travel back in >> time and kill Sarah Connor [1], but that has yet to be fully verified.) >> >> --Misagh >> >> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/