Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve automatic dependency updates #3637

Open
twpayne opened this issue Mar 8, 2024 · 3 comments
Open

Improve automatic dependency updates #3637

twpayne opened this issue Mar 8, 2024 · 3 comments
Labels
enhancement New feature or request help wanted Extra attention is needed internal Does not affect users

Comments

@twpayne
Copy link
Owner

twpayne commented Mar 8, 2024

Is your feature request related to a problem? Please describe.

I'm always frustrated when I have to update chezmoi's dependencies as it requires a lot of manual work:

  • I can update most Go modules in go.mod with go get -u -t ./..., but I then need to run make test-release to build chezmoi for all platforms to update go.sum, as long as these are only minor version bumps.
  • Dependabot currently opens per-Go-module PRs which a lot of PR noise.
  • I check for major Go module version bumps with gomajor, but dealing with the output of this sometimes requires additional work.
  • I have a private script for updating GitHub Actions versions.
  • For tool versions, I currently have to manually check each one of them.
  • Very rarely, I check Python requirements (in chezmoi's various requirements*.txt files).

Describe the solution you'd like

I would like an automatic tool to propose dependency high-level dependency update PRs that update related dependencies together, e.g. bumping all minor Go module version dependencies in the same PR.

Describe alternatives you've considered

Keeping this as-is, or writing some tooling myself.

Additional context

  • I'd love help with this.
  • It's not necessary to solve all of the above problems in one go.
  • I think that switching from dependabot to renovatebot might help.
  • If you want to work on this, please say so in a comment on this issue so people don't end up duplicating work.
@twpayne twpayne added enhancement New feature or request help wanted Extra attention is needed internal Does not affect users labels Mar 8, 2024
@halostatue
Copy link
Collaborator

I tried and moved back from Renovate; I didn't like it — I should consider giving it another try.

Dependabot grouping is somewhat useful, and there is the ability to use update-types to ensure that minor or patch items are upgraded as one PR.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups

@twpayne twpayne mentioned this issue Mar 10, 2024
Merged
@icholy
Copy link

icholy commented May 13, 2024

@twpayne gomajor list takes an optional -json flag.

@twpayne
Copy link
Owner Author

twpayne commented May 13, 2024

Thanks! The issue with bumping major versions is that it requires modifying the source files (i.e. at least updating import statements with the new package path, and occasionally modifying code for the new API). However, the -json flag to gomajor list should make it easier to write some basic automation around this, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed internal Does not affect users
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@twpayne @halostatue @icholy