Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package lock auto update #40506

Closed
wants to merge 2 commits into from
Closed

Package lock auto update #40506

wants to merge 2 commits into from

Conversation

tjenkinson
Copy link
Contributor

I realise there's no issue in the Backlog milestone for this. If it's also required for CI changes I can create one or just close this

I noticed in #40146 you added the package-lock and also the action to update it daily.

This PR configures dependabot to automatically open PRs for dependency updates. It then also adds an auto merge action (disclaimer: I wrote this) and configures it to automatically merge PR's that are created by dependabot when the required status checks pass. I'd suggest making some of the checks required so that the merge is blocked if it causes build/test failures.

I think this approach is slightly better than the existing update-package-lock workflow because having the update opened on a PR means all the (required) pr checks run, and need to go green before the update is merged, so it means if there is a dependency update that contains a breaking change, it might be caught before it hits devs, and it highlighted in a PR.

Let me know what you think

@typescript-bot typescript-bot added the For Uncommitted Bug PR for untriaged, rejected, closed or missing bug label Sep 11, 2020
@tjenkinson tjenkinson force-pushed the package-lock-auto-update branch from 1138d0c to 4b835d4 Compare September 11, 2020 19:45
@tjenkinson tjenkinson force-pushed the package-lock-auto-update branch from 4b835d4 to 72f5d9b Compare September 11, 2020 20:06
@orta
Copy link
Contributor

orta commented Sep 11, 2020

Thanks, but we already have a working setup for updating our package lock on a weekly basis automatically.

IMO we probably don't want it, this repo is busy enough without all the additional noise that dependabot would add.

@tjenkinson tjenkinson marked this pull request as ready for review September 11, 2020 21:02
@tjenkinson
Copy link
Contributor Author

@orta fair enough. Ideally there would be no noise from this like your current solution, except when there are failures, but I don't think it's possible to filter notifications on GitHub PR's like that. Could probably set up an email filter but it's not ideal.

@tjenkinson
Copy link
Contributor Author

Actually looks like it would be possible to set up email filters based on the user

@DanielRosenwasser
Copy link
Member

Unless @amcasey has a specific preference here, I think we'd prefer to have fewer automated PRs in general. It's not as much about notifications, though we'd rather not have to configure that either.

@amcasey
Copy link
Member

amcasey commented Sep 12, 2020

Not having either user or automated review of these changes was an explicit goal - we wanted to maintain the behavior we used to have with latest, but leave ourselves a breadcrumb for being able to build each commit in the future.

It looks like good thought and work went into this but, unfortunately, I'd have to agree that isn't something we'd be interested in right now. Thanks though!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
For Uncommitted Bug PR for untriaged, rejected, closed or missing bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tjenkinson @orta @DanielRosenwasser @amcasey @typescript-bot