Re: Dependabot-like solution for Apache projects

At the time I thought the issue of write permissions was more about IP ownership of bot contributions, so I filled https://issues.apache.org/jira/browse/LEGAL-491 >From the current discussion the 'write' permissions to create the branches seems more of a technical dependabot detail than a real

Re: Dependabot-like solution for Apache projects

Agree with Christopher that "technically" this does not matter if branch is fork PR or branch PR. And I also see the usefulness of Dependabot. I used it in the past and it's been extremely easy and helpful - with all the changelogs/release notes right in the PR you could find in exactly the moment

Re: Dependabot-like solution for Apache projects

I have similar thoughts about branches and a PR. If dependabot were allowed then a FAQ page on infra.apache.org would be useful regarding configuration and required review of the updated dependents. Such discussion would be focused on issues such as looking for

Re: Dependabot-like solution for Apache projects

I feel like people are getting a bit hung up on the fact that dependabot creates branches in the repo directly when that isn't any different from what GitHub is doing for pull requests. Dependabot creates refs in git under refs/heads/dependabot/* (this is customizable, to some extent by the repo

Re: Dependabot-like solution for Apache projects

On Fri, 3 Sept 2021 at 01:09, Olivier Lamy wrote: > > On Fri, 3 Sept 2021 at 09:57, David Jencks wrote: > > > I’m afraid I don’t understand your “the result is the same” argument. > > > > result == Apache committer merging the bot commit > But that is not the only change to the repo. The repo

Re: Dependabot-like solution for Apache projects

On Fri, 3 Sept 2021 at 09:57, David Jencks wrote: > I’m afraid I don’t understand your “the result is the same” argument. > result == Apache committer merging the bot commit > > Let's say a company has 2 employees, Arthur, who is not an Apache > committer on project X, and Bernadette who is.

Re: Dependabot-like solution for Apache projects

> On Sep 2, 2021, at 4:31 PM, David Jencks wrote: > > The difference is whether a non-committer has write access to an Apache repo. > In this case the non-committer is some code GitHub maintains that we have no > control over. Why should we trust it not to modify a real branch? > > To

Re: Dependabot-like solution for Apache projects

I’m afraid I don’t understand your “the result is the same” argument. Let's say a company has 2 employees, Arthur, who is not an Apache committer on project X, and Bernadette who is. Arthur writes some code and submits a PR to project X. In scenario 1, Bernadette merges the PR and in scenario

Re: Dependabot-like solution for Apache projects

I perfectly understand this. But my point was at the end the result is the same! If we follow such reasoning, why do we use github as we do not control what is happening there? but yeah I'm having an already lost discussion :) On Fri, 3 Sept 2021 at 09:32, David Jencks wrote: > The difference

Re: Dependabot-like solution for Apache projects

The difference is whether a non-committer has write access to an Apache repo. In this case the non-committer is some code GitHub maintains that we have no control over. Why should we trust it not to modify a real branch? To now argue on the other side of the issue, the git website publishing

Re: Dependabot-like solution for Apache projects

On Fri, 3 Sept 2021 at 00:16, Olivier Lamy wrote: > > So what happen here? > If I understand correctly dependabot creates a branch in a fork repository > with a commit then this commit is merged back to the Apache GitHub repo by > a committer. > > In the previous model dependabot created a branch

Re: Dependabot-like solution for Apache projects

So what happen here? If I understand correctly dependabot creates a branch in a fork repository with a commit then this commit is merged back to the Apache GitHub repo by a committer. In the previous model dependabot created a branch in the Apache GitHub repo then a committer merged this back to

Re: Dependabot-like solution for Apache projects

After thinking about it for a couple of minutes I’m fully behind Apache policy forbidding automated commits to an Apache repository. If Eclipse allows such commits I’d rather suspect they haven’t noticed them. Assuming that dependabot can’t deal with making it’s branch in a separate repo it

Re: Dependabot-like solution for Apache projects

Hi, Really? This sounds like a productivity killer to remove such feature... the bot never write to master branch it just creates a branch and pr which need to be validated/merged by a valid committer. FYI eclipse foundation definitely accepts this without problem so I guess we have a similar

Re: Dependabot-like solution for Apache projects

Theoretically, dependabot ought to be able to create it’s branch in a forked repo, just like any other non-committer, and create a PR from that, which can be merged by a committer. I believe this would give the same committer workflow without violating Apache policy. I have no idea if

Re: Dependabot-like solution for Apache projects

I am missing something here: the whole point of dependabot is that it creates a branch in GitHub, runs a build, and creates a PR. If you like the results, you can click merge, a huge time saver. I really don't want to loose this killer feature. Gary On Tue, Aug 31, 2021, 11:33 Chris Lambertus

Re: Dependabot-like solution for Apache projects

Third party write access to code repositories is expressly forbidden by Foundation policy: https://infra.apache.org/repository-access.html Infra has worked with GitHub to prevent dependabot from being able to write to our repos, but it

Re: Re: Dependabot-like solution for Apache projects

The Apache git repo must be mirrored from Apache to GitHub, for example https://github.com/apache/commons-io, then you add a .github folder and files (see above link). Gary On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney wrote: > Thanks Gary and Sebb. > How do I turn dependabot on? Last time

Re: Dependabot-like solution for Apache projects

We still do not allow dependabot to write to repos. There is a way to receive the dependabot alerts via email, but no write access to the repo. > On Aug 30, 2021, at 9:50 AM, Jarek Potiuk wrote: > > I believe that changed when Github bought dependabot and it become > "embedded" in GitHub

Re: Re: Dependabot-like solution for Apache projects

I believe that changed when Github bought dependabot and it become "embedded" in GitHub soon after: https://dependabot.com/blog/hello-github/ J. On Mon, Aug 30, 2021 at 3:43 PM Lewis John McGibbney wrote: > Thanks Gary and Sebb. > How do I turn dependabot on? Last time I tried I was informed

Re: Re: Dependabot-like solution for Apache projects

Thanks Gary and Sebb. How do I turn dependabot on? Last time I tried I was informed that due to the program requiring write permissions to the repository, it wasn’t possible… This policy must have changed… Thanks for any info. lewismc On 2021/08/29 14:42:00 Gary Gregory wrote: > Most of Apache

Re: Dependabot-like solution for Apache projects

On Sun, 29 Aug 2021 at 15:42, Gary Gregory wrote: > > Most of Apache Common's components' are happy users of Dependabot, which is > used on our GitHub mirrored repositories. Not all the developers are happy however, as it generates lots and lots of mail traffic, as well as extra work. It has

Re: Dependabot-like solution for Apache projects

Most of Apache Common's components' are happy users of Dependabot, which is used on our GitHub mirrored repositories. Gary On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney wrote: > Hi builds@, > I was advised to ask my question here instead of general@incubator. > Thanks for any feedback > >

Dependabot-like solution for Apache projects

Hi builds@, I was advised to ask my question here instead of general@incubator. Thanks for any feedback > I understand that we cannot use automated tooling, specifically Dependbot ( > https://dependabot.com/) because it requests write access to the ASF > project source code. > I have found this