Sure, will do. Thanks everyone. --Misagh
----- Original Message ----- > From: "Francesco Chicchiriccò" <[email protected]> > To: "dev" <[email protected]> > Sent: Monday, December 16, 2019 12:22:45 PM > Subject: Re: Automating Syncope's dependency updates > Hi Misagh, > it seems we have some consensus here, please go ahead and open an issue on > > https://issues.apache.org/jira/browse/INFRA > > about this topic, thanks. > > Regards. > > On 11/12/19 15:13, Francesco Chicchiriccò wrote: >> Hi Misagh, >> renovatebot looks interesting and worth at least to explore the possibility >> to >> add it at project's (rather than committer's level). >> >> +1 to go ahead and ask Infra team about it. >> Regards. >> >> On 11/12/19 15:00, Misagh Moayyed wrote: >>> Hey Team, >>> >>> I suspect most know about this sort of thing, but I thought to share this >>> with >>> you: >>> https://github.com/renovatebot/renovate >>> >>> I think this is a useful tool to allow a Github project such as Syncope to >>> automatically receive dependency updates and become self sufficient. It will >>> attempt to parse the project's dependencies/pom and will then begin to issue >>> pull requests with relevant updates. Its schedule, update policy and >>> inclusion/exclusion rules can all be controlled via a .renovate JSON file. >>> >>> It can run in two ways: >>> >>> 1- As a GitHub app, which would be installed for the Apache org on Github >>> and >>> enabled for select repositories, such as Syncope. This option requires >>> coordination/permission from Apache infra, and updates are then automatic. >>> >>> 2- As a CLI tool, where a committer's personal access token is passed as a >>> command-line argument, and the tool can run as part of CI. This option >>> probably >>> does not require anything from Apache infra [?], and updates can be >>> cancelled >>> as part of the CI job that runs the tool. >>> >>> I am not sure what the CLA policy would be for bots; the second option >>> probably >>> [?] covers this, as PRs are issued on behalf of the committer whose AT is >>> used. >>> Either way, it seems like we need clarification from Apache infra. >>> >>> This is an example of a pull request by the bot: >>> https://github.com/Jasig/uPortal/pull/1849 >>> >>> This is an example of the bot's JSON configuration file: >>> https://github.com/Jasig/uPortal/blob/master/renovate.json >>> >>> How do you feel about this? Is this a good option to pursue and follow up? >>> >>> The bot also has the ability to rebase PRs, and can also take over the >>> merging >>> process automatically if CI passes or other rules allow. (At some point in >>> the >>> future, I think it will also gain the ability to travel back in time and >>> kill >>> Sarah Connor [1], but that has yet to be fully verified.) >>> >>> --Misagh >>> >>> [1] https://www.wikiwand.com/en/Sarah_Connor_(Terminator) > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/
