-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: group tools/mod updates and update only direct dependencies #18992
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mmorel-35 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @mmorel-35. Thanks for your PR. I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
f26d216
to
cbb9450
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted filessee 27 files with indirect coverage changes @@ Coverage Diff @@
## main #18992 +/- ##
==========================================
+ Coverage 68.77% 68.80% +0.02%
==========================================
Files 420 420
Lines 35623 35623
==========================================
+ Hits 24500 24509 +9
+ Misses 9694 9691 -3
+ Partials 1429 1423 -6 Continue to review full report in Codecov by Sentry.
|
/ok-to-test |
/test pull-etcd-integration-1-cpu-amd64 |
.github/dependabot.yml
Outdated
- dependency-type: direct | ||
groups: | ||
tools-mod: | ||
patterns: | ||
- "*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems reasonable to me, most of our purely indirect dependencies come from tools so we end up closing them. Thanks for proposing it @mmorel-35, it should reduce weekly spam pr's. What do you think @ivanvc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this PR has some overlap with the work from issue #18925.
That aside, I tested it in my fork, and it seems like dependabot is tidying the module correctly (ivanvc#450), as there is only a single directory specified (it looks like the tidying bug is only present when there is more than one directory specified).
The only potential risk I see is that if we have a dependency in /tools/mod
that is also used in other submodule (i.e., github.com/gogo/protobuf
, go.etcd.io/raft/v3
, github.com/grpc-ecosystem/grpc-gateway/v2
), our CI check pull-etcd-verify
(verify-dep
), will fail because the dependencies won't be at the same version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An alternative would be first to merge the manual updates (including updating /tools/mod
dependencies that are used in other modules). Then, wait for dependabot to update the grouped pull request. Finally, we could merge the grouped /tools/mod
PR.
Even though it can be an alternative, it may not be viable (as just writing the steps in the previous paragraph took me a while to ensure I got it right). This alternative could also be potentially confusing, and instead of decreasing the toil, it could possibly increase it 😅... But I'm trying to think of alternatives to make this work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, I'm in favor of keeping dependency-type: direct
but dropping the group. What do you think, @jmhbnz?
It reduces the spam (and somewhat minimizes the toil), but we'll need to keep the manual process as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me, let's go with just the dependency-type: direct
for this pr @mmorel-35.
Link to #18925. |
@mmorel-35: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
d5b952d
to
0fc2ae6
Compare
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
0fc2ae6
to
ad76095
Compare
Concerning tools update it seems more appropriate to update only direct dependencies.
They can also be grouped in one PR update.