Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Management Automation #1676

Open
aorinevo opened this issue Apr 11, 2020 · 4 comments
Open

Dependency Management Automation #1676

aorinevo opened this issue Apr 11, 2020 · 4 comments

Comments

@aorinevo
Copy link
Contributor

aorinevo commented Apr 11, 2020
edited
Loading

Note: this issue is a port of NerdWalletOSS/shepherd#111

Narrative

As a maintainer of Handlebars, I want a quick and easy way to keep dependencies up-to-date and reduce the level-of-effort associated with the corresponding releases.

Proposed Change

The proposed change is to integrate renovate, renovate approve, semantic commits, and semantic-releases.

With the right combination of settings across these four Github apps, CI/CD can take care of updating minor and patch dependencies (relative to the semantic commit message), approving and merging of the corresponding PRs, publishing a new tag version, and finally updating release notes (if needed) and changelog.

Technical Details

  • Use github workflows
  • Add GH_TOKEN secret with properly provisioned token (repo access is sufficient)
  • Need to decide on a set of types that will trigger releases and the corresponding semver bump. For example, we can have:
    • docs, style, refactor, and perf map to patch semver bump
    • feat map to patch semver bump
  • conventional commits should use the following scopes:
    • parser, compiler, runtime, cli
  • Update documentation in CONTRIBUTING.md

ROI

  • near real time vulnerability and security patches
  • reduced overhead for maintainers
  • reduced CI/CD failures for consumers (at least for those that run npm audit as part of their CI)

DependaBot vs RenovateBot

DependaBot RenovateBot
post install config (i.e. run npm dedupe) No Yes
price Free Free

Nice to have

  • WIP app

Notes
@aorinevo aorinevo mentioned this issue Apr 11, 2020
Draft
@ErisDS
Copy link
Collaborator

ErisDS commented Apr 11, 2020

Just want to add a +1 for renovate here. I’ve used it extensively and it is a fantastic tool.

@nknapp
Copy link
Collaborator

nknapp commented Apr 15, 2020

do we need extra config for renovate in the repo. If yes, we should add it first and install the bot.

@aorinevo
Copy link
Contributor Author

We will need a renovate.json file to house the configurations however it is worth noting that renovate can be enabled with without risk:

Renovate will not make any changes to your repository or raise any further Pull Requests until after you merge this initial Pull Request. So if there is anything about the Pull Request that you don't like or understand, take your time to read documentation or ask questions in one of our support forums and merge the PR only once you're satisfied with the result. You can edit your Renovate configuration within this renovate/configure branch and Renovate will keep updating the description in the PR to match, so you can keep doing that until you're satisfied with the results.

~ from https://docs.renovatebot.com/configure-renovate/

@jaylinski
Copy link
Member

ℹ️ There is now a dependabot configuration: https://github.com/handlebars-lang/handlebars.js/blob/master/.github/dependabot.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ErisDS @nknapp @jaylinski @aorinevo