syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matteo Alessandroni <>
Subject Re: Automating Syncope's dependency updates
Date Wed, 11 Dec 2019 15:15:46 GMT
Hi Misagh,

I find your proposal very interesting, so for me +1.

Just want to underline that /Renovate/ has recently joined /WhiteSource/ 
and this is a plus IMHO because /WhiteSource/ is known to deal with the 
open source security world and the takeover let them provide their 
offerings for free (a good news for us too :)).
Moreover, I remember I heard about /Renovate/ in the front-end world 
context, it was mentioned to be very useful for all the projects using 
NPM packages.



On 11/12/19 15:00, Misagh Moayyed wrote:
> Hey Team,
> I suspect most know about this sort of thing, but I thought to share this with you:
> I think this is a useful tool to allow a Github project such as Syncope to automatically
receive dependency updates and become self sufficient. It will attempt to parse the project's
dependencies/pom and will then begin to issue pull requests with relevant updates. Its schedule,
update policy and inclusion/exclusion rules can all be controlled via a .renovate JSON file.
> It can run in two ways:
> 1- As a GitHub app, which would be installed for the Apache org on Github and enabled
for select repositories, such as Syncope. This option requires coordination/permission from
Apache infra, and updates are then automatic.
> 2- As a CLI tool, where a committer's personal access token is passed as a command-line
argument, and the tool can run as part of CI. This option probably does not require anything
from Apache infra [?], and updates can be cancelled as part of the CI job that runs the tool.
> I am not sure what the CLA policy would be for bots; the second option probably [?] covers
this, as PRs are issued on behalf of the committer whose AT is used. Either way, it seems
like we need clarification from Apache infra.
> This is an example of a pull request by the bot:
> This is an example of the bot's JSON configuration file:
> How do you feel about this? Is this a good option to pursue and follow up?
> The bot also has the ability to rebase PRs, and can also take over the merging process
automatically if CI passes or other rules allow. (At some point in the future, I think it
will also gain the ability to travel back in time and kill Sarah Connor [1], but that has
yet to be fully verified.)
> --Misagh
> [1]

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message