syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Misagh Moayyed <>
Subject Automating Syncope's dependency updates
Date Wed, 11 Dec 2019 14:00:25 GMT
Hey Team,

I suspect most know about this sort of thing, but I thought to share this with you:

I think this is a useful tool to allow a Github project such as Syncope to automatically receive
dependency updates and become self sufficient. It will attempt to parse the project's dependencies/pom
and will then begin to issue pull requests with relevant updates. Its schedule, update policy
and inclusion/exclusion rules can all be controlled via a .renovate JSON file. 

It can run in two ways:

1- As a GitHub app, which would be installed for the Apache org on Github and enabled for
select repositories, such as Syncope. This option requires coordination/permission from Apache
infra, and updates are then automatic.

2- As a CLI tool, where a committer's personal access token is passed as a command-line argument,
and the tool can run as part of CI. This option probably does not require anything from Apache
infra [?], and updates can be cancelled as part of the CI job that runs the tool. 

I am not sure what the CLA policy would be for bots; the second option probably [?] covers
this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems
like we need clarification from Apache infra.

This is an example of a pull request by the bot:

This is an example of the bot's JSON configuration file:

How do you feel about this? Is this a good option to pursue and follow up?

The bot also has the ability to rebase PRs, and can also take over the merging process automatically
if CI passes or other rules allow. (At some point in the future, I think it will also gain
the ability to travel back in time and kill Sarah Connor [1], but that has yet to be fully



View raw message