Update update_dep.sh

[henrybear327]

Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows:

• print out the dependency's version before and after the bump
• check if the dependency is fully indirect
• change the behavior of bumping dependency (doesn't ignore bumping indirect dependency in the go mod files anymore)
• check if all dependencies across all go mod files have the same pinned version respectively after bumping a dependency

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: henrybear327
Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[henrybear327]

/cc @ivanvc
/cc @ahrtr
I am not good with bash scripts :(

This is the script that I have been using to bump the dependencies in the past months. Hopefully, it will be helpful for future volunteers before the dependabot is fixed!

[ivanvc]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

[henrybear327]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc let's draft the PR and you can probably take over it if you have time to improve it!

Hopefully it's a helpful start otherwise you can trash the PR and start from scratch!

Thanks!

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.80%. Comparing base (ee88ecc) to head (df8c66f).

❗ Current head df8c66f differs from pull request most recent head bba5e87

Please upload reports for the commit bba5e87 to get more accurate results.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

see 27 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18609      +/-   ##
==========================================
+ Coverage   68.74%   68.80%   +0.05%     
==========================================
  Files         420      420              
  Lines       35523    35523              
==========================================
+ Hits        24422    24440      +18     
+ Misses       9673     9654      -19     
- Partials     1428     1429       +1     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ee88ecc...bba5e87. Read the comment docs.

[henrybear327]

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc I have fixed the shellcheck errors

Maybe you can see if this is a good enough quality script to consider now!
Thank you!

[ahrtr]

Sometimes we still need bump pure indirect dependency, i.e. due to CVE. A couple of approaches:

• raise a question something "XXX is a pure indirect dependency, Are you sure you want to proceed? (y/n):"
• Or we can just print a warning and automatically continue to execute the script. As mentioned in previous comment, it's up to maintainers/contributors whether to bump a pure indirect dependency. If not, then they shouldn't run this script at all.

[k8s-ci-robot]

@henrybear327: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-etcd-verify	f892b05	link	true	/test pull-etcd-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ivanvc]

Thanks for the pull request, Henry. I haven't had a chance to check it before. I left some comments ✌️

[ivanvc]

By passing --include to the first grep, I don't think you need to pipe the second grep. It won't match go.sum files.

I think your regular expression can be simplified to "${mod} v". I don't see the value of ^.* and .*$, which matches anything before and after. I'd suggest simplifying.

[ivanvc]

With the changes from the top of the file

if [ "$#" -ne 2 ]; then
    echo "Illegal number of parameters"
    exit 1
fi

We will never reach this conditional, as ${ver} will never be empty.

[ivanvc]

Another approach would be to use go list for this, i.e., something like:

local result
result=$(find . -name go.mod | xargs -I{} /bin/sh -c 'cd $(dirname {}); go list -f "{{if eq .Path \"'"${mod}"'\"}}{{.Indirect}}{{end}}" -m all' | sort | uniq)
if [ "$result" = "true" ] ; then
   read -p "Module ${mod} is an indirect dependency. Are you sure you want to update it? [y/N] " -r confirm
   [[ "${confirm,,}" == "y" ]] || exit
else
  echo "Not fully..."
fi

[ivanvc]

Shouldn't we invert these steps? Shouldn't it be first fix, then the dep tests?

[ivanvc]

This also outdates the documentation at the top of the file 😅