Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use renovate for automatic dependency updates #33386

Open
TheFox0x7 opened this issue Jan 25, 2025 · 5 comments
Open

Use renovate for automatic dependency updates #33386

TheFox0x7 opened this issue Jan 25, 2025 · 5 comments
Labels
proposal/accepted We have reviewed the proposal and agree that it should be implemented like that/at all. type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@TheFox0x7
Copy link
Contributor

Feature Description

Filing this as follow up to my question on discord. It's not for gitea but for this repository.

At the very least I think it might help track dependencies and when they get version updates which are of some interest - at the cost of the noise in PRs.

Screenshots

No response
@TheFox0x7 TheFox0x7 added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Jan 25, 2025
@wxiaoguang
Copy link
Contributor

at the cost of the noise in PRs.

Yup, that's the problem ..... too noisy and there will be a lot of "dependency-only commits".

I think most current maintainers prefer to keep current "manually update dependency" at the moment.

@wxiaoguang
Copy link
Contributor

Some more backgrounds: there are so many dependencies, so it's really difficult to figure out every change in them.

For example: Rocky Linux 9 (Fedora 34) cannot recognize the signature added by Gitea #33296

Even if we could have something like "renovate" to propose dependency updates one by one, without full understanding of every line of changed code, it's impossible to know that there is a breaking change in ProtonMail/go-crypto and it really affects the RPM sign in Gitea. So I think "updating all dependencies together regularly" is not bad at the moment. At least, we could trust the 3rd packages should be stable.

@lunny
Copy link
Member

lunny commented Jan 25, 2025

A low-frequency pull request schedule could be considered, such as allowing one PR every two weeks.

@silverwind
Copy link
Member

silverwind commented Jan 26, 2025
edited
Loading

  1. I prefer to test dependency updates manually. Especially in the frontend, there are almost no functionality tests, necessiating manual testing.
  2. Many dependency updates require changes in the code (eslint plugins adding new rules for example), the bot would not do them, creating extra work.
  3. It needs a way to pin certain dependencies, currently done here for JS: https://github.com/go-gitea/gitea/blob/main/updates.config.js

I feel like introducing a updater tool would introduce a bad culture of blindly merging these PRs, especially if they come too frequent. I'd say at minimum we want one PR every 2-4 weeks.

@silverwind
Copy link
Member

silverwind commented Jan 27, 2025
edited
Loading

So as a start, I suggest configuring a bot that raises PRs to update the golang dependencies in go.mod/go.sum every 2 weeks. These are sufficiently tested, so it should be pretty safe.

@silverwind silverwind added the proposal/accepted We have reviewed the proposal and agree that it should be implemented like that/at all. label Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposal/accepted We have reviewed the proposal and agree that it should be implemented like that/at all. type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lunny @silverwind @wxiaoguang @TheFox0x7