Replace dependabot with renovate #496
Comments
hazendaz
changed the title
|
to see downstream issues dependabot causes for example hazendaz#107. In past week, if you look at PRs over there on the fork, I've had to close out many from dependabot which is a pain and long, long standing defect with github's dependabot since before they owned it. |
|
For what it's worth, GitHub does allow you to disable dependabot checks on forks... and it's off by default now. So, I don't think this is strictly necessary. See my comment on revelc/formatter-maven-plugin#711 (review) |
mathieucarbou
added
the
todo
|
The link you provided says you can delete/recreate the fork OR |
|
It's not on my fork hence the ongoing issue. No button to disable even. It's the same on dozens on them. Maybe we can zoom sometime and you can show me what I'm missing. I did kill it on my fork there for formatter and I'm using renovate there now. I simply deleted the yaml file so it's done now. May be worth showing to why renovate is better. PRs even are better. Interaction easier, etc. No typing just ticking boxes. And they have more user growth, big backing. Etc. Even partnered with aws. Sure dependabot is owned by GitHub...err microsoft...but that wasn't always the case and I'm sure my issues are for that reason. I got it added in most places I touched and from the prior service not v2 yaml.
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Christopher Tubbs ***@***.***>
Sent: Thursday, March 23, 2023 10:39:24 PM
To: mathieucarbou/license-maven-plugin ***@***.***>
Cc: Jeremy Landis ***@***.***>; Author ***@***.***>
Subject: Re: [mathieucarbou/license-maven-plugin] Replace dependabot with renovate (Issue #496)
The link you provided says you can delete/recreate the fork OR click Disable. It's a one-button click. Whether or not the maintainer chooses to go with renovate, I just wanted to make sure that they know it's not strictly necessary to avoid the spam. It's a just a one button click for any existing repos. That button has been there for a long time. The only change is whether it's on by default when you fork.
—
Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmathieucarbou%2Flicense-maven-plugin%2Fissues%2F496%23issuecomment-1482171043&data=05%7C01%7C%7Cc4a81d2634bf4e059ab008db2c10fb88%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638152223666711447%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BIKVclEeh43GC7iDLtv7%2FuuyXK5O1ppU62xItQJA7%2B0%3D&reserved=0>, or unsubscribe<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAHODI6YTG37OFRFLHWJZTLW5UCNZANCNFSM6AAAAAAU5NNURY&data=05%7C01%7C%7Cc4a81d2634bf4e059ab008db2c10fb88%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638152223666711447%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KTQxavLqnzIDuZpux2msKoOcgBbpf9a1v3YRHzVCi8M%3D&reserved=0>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Weird. For your fork, it should be at: https://github.com/hazendaz/license-maven-plugin/settings/security_analysis |
|
I've looked at Renovate and even if I see its value for some other project, for this one, I don't see any advantage over dependabot, besides requiring a more complex config and being less Github-integrated. I would highly prefer you disable dependabot on your forks (I don't even know how you had that enabled: I have many forks myself and never got any Prs or alerts regarding dependabot on any of my forks...) Let's keep this issue in the backlog for now. |
mathieucarbou
added
in:build
|
That's fine but there is zero configuration that needs set. Today you have a dependabot file. Renovate also adds a file only to indicate you agree to use it. In fact the first pull request purpose after signing the repo up is so one understands how it works. You never again need touch that file. After that it opens an issue that is for everyone to easily see all dependencies used. I'll get you a few links to show its usage. From that point anyways you never have to type like one does with dependabot and it further tacks what is blocked. So you as owner can just interact on one spot without typing your intentions at all times. And yes one could configure it like crazy but there is basically no need to ever do so.
Anyway we have 2k strong on it for 3 years and our firm is now rolling it out to 25k repos. It's better to see it live anyways but totally your call in end.
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Mathieu Carbou ***@***.***>
Sent: Friday, March 24, 2023 3:56:53 AM
To: mathieucarbou/license-maven-plugin ***@***.***>
Cc: Jeremy Landis ***@***.***>; Author ***@***.***>
Subject: Re: [mathieucarbou/license-maven-plugin] Replace dependabot with renovate (Issue #496)
I've looked at Renovate and even if I see its value for some other project, for this one, I don't see any advantage over dependabot, besides requiring a more complex config and being less Github-integrated.
I would highly prefer you disable dependabot on your forks (I don't even know how you had that enabled: I have many forks myself and never got any Prs or alerts regarding dependabot on any of my forks...)
Let's keep this issue in the backlog for now.
—
Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmathieucarbou%2Flicense-maven-plugin%2Fissues%2F496%23issuecomment-1482394745&data=05%7C01%7C%7C703d2225893b4c3e97e808db2c3d554a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638152414151581042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=20YkgS6bNIMoha86unpBlSa3MPX5s7pM80uh0SiQzx8%3D&reserved=0>, or unsubscribe<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAHODI3646FR3AOD7YZX4STW5VHULANCNFSM6AAAAAAU5NNURY&data=05%7C01%7C%7C703d2225893b4c3e97e808db2c3d554a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638152414151581042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hcGls8p1ymL7K22sbnivNjGH61oyYopKSaD%2BqjdzvKw%3D&reserved=0>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
I personnel don't mind changing but I just still does not see the value for this project, even if I completely agree with all what you said :-) |
|
OK to just reset. Dependabot fails to just update all poms. Not to mention it raised a CVE fix we likely just overlooked. Renovate will address these. In case where everyone is not really cool with external non github solution (dependabot wasn't either at one time), I can just setup my local and let it do the work and merge in. Since this specific project just forces squash, you won't really see that in history unless 1 to 1 merge. That said, that is the approach I'll take with this and others I'm mostly concerned with. While notes on how to shut up dependabot, none actually work if one came before it was consumed by github (ie greatly affects me but clearly not others). That may have to do with being part of that track originally and separately setup entirely with dependabot in general. As noted, its still reported to github regularly and I keep getting alerts as well when people go after github for poor behavior there. Regardless, keep things as is, going to close this ISSUE, I'll setup what I need, I'll adjust my default branch which also resolves the dependabot madness for me, and I'll raise renovate PRs that way which if you look I merge most of these anyways. That way, no new stuff there, I'm happy, everyone is happy, and we can proceed as usual. Probably no need to discuss more but a thumbs up or down to my approach will work. I won't bother bringing up the concern again post this as the model I've proposed here is satisfactory to me, think its clearly ok to the group, and we continue on working on real issues, the code :) |
|
Reopening this as I would like to have this reconsidered once again. Just like my prior note, dependabot is not finding everything. I had to again manually fix some usage. I also have zero clue what dependabot thinks we want, don't want, or what even even use. If setup is a concern, grant me enough access here and within 10 minutes it will be live. It is integrated to github btw. Many in the market place are entirely separate platforms with very little integration this one is not. If team doesn't like it after using it then fine remove it but give it a chance first. On current dependabot we didn't even setup GHA portion as it has to be told everything, so we miss all those updates. On renovate dashboard that dependabot does not have, see an example -> hazendaz/base-parent#437 Please reconsider this given in 99% of the cases, I'm the only one merging these as it is. And for my sanity, I prefer to have the defect in dependabot resolved. It still sends PRs constantly to forks. I'd like to be more involved here and this one is super important to me because of the level it actually works. I'm already 100% provisioned with them for long time so setting any repo to it takes roughly 2 minutes. Long enough for it to send me 2FA to approve it and select the repo. In fact, I have the dashboard up now and if I am part of this org, done deal quickly. If anything else, it will at least tell us what our code is made up of. One thing of note, you still 100% retain integrated dependabot for security vulnerabilities. That part doesn't do away. This is just for the day to day stuff. |
|
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
stale
bot
added
the
stale
Currently this project uses dependabot. Dependabot has a huge negative impact on contributors that had repos forked long before that which results in excessive downstream pull requests. It also isn't as good at detection. A simple and extremely more effective solution is to use Renovate which is also free.
Steps to introduce.
Example links to see this in action (over at mybatis)
Effort to switch, minutes...
The text was updated successfully, but these errors were encountered: