-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch from buildSrc/version.properties
to Gradle version catalog (gradle/libs.versions.toml
) to enable dependabot to perform automated upgrades on common libs
#16284
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
❌ Gradle check result for 724db17: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
I recommend switching from Dependabot to using Mend Renovate. I've outlined several reasons that it's a preferred choice in opensearch-project/.github#97 and added a section to the Maintainer Responsibilities guide here. One of the options of this configuration is to enable auto-merging for a subset of dependencies. I have done so on my own project here. |
@peternied Has created something similar for dependabot and opensearch-trigger-bot PRs on the security repo. See the automatic-merges workflow here |
… windows had gradle wrapper path Signed-off-by: Craig Perkins <[email protected]>
|
@cwperks OK, I think I finally glued all pieces together :D (sorry it took so long). So here are 3 parts (or stages) that we have to go through to have dependency management revamped in favour of using versions catalog + be dependabot friendly:
Does it make sense? If yes, I would like to ask you remove |
Signed-off-by: Craig Perkins <[email protected]>
@reta I removed the |
@cwperks about that, do you mind if I push a small change to this particular part? I prefer us to not do manual parsing. Thank you. |
Go ahead! You can push to any of my PRs ;) |
❌ Gradle check result for 5003c97: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
…xtension Signed-off-by: Andriy Redko <[email protected]>
@dblock @dbwiddis @andrross @peternied I think this is first step in right direction (to replace ad-hoc version management with Gradle version catalogs, see please larger picture #16284 (comment)). Curious what do you think folks, any concerns? LGTM to me, thanks a lot @cwperks ! |
How are transitive dependencies handled? I've experienced frequent issues in plugins where we need Dependency X which transitively depends on Y. OpenSearch has Y at an earlier version but doesn't have X at all. Will we still be able to force a higher version? Will plugins be able to access the version number that OpenSearch has easily (version catalog) so that we don't have to maintain (synchronized) version bumps ourselves? |
Thanks @dbwiddis
If I am not mistaken, this is out of scope of version catalogs BUT is in scope of the individual modules: it all depends on how the module import the dependency (runtime, compile, ...)
I believe the
Yes! That's the end goal! |
🎉 |
Signed-off-by: Craig Perkins <[email protected]>
Sync'ed with main to resolve conflicts and ensured the latest versions on main for version.properties are copied to libs.versions.toml |
❌ Gradle check result for ef776e2: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
@reta Is this same error appearing on main?
|
gradle/libs.versions.toml
Outdated
hamcrest = "2.1" | ||
mockito = "5.12.0" | ||
objenesis = "3.2" | ||
bytebuddy = "1.14.9" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bytebuddy = "1.14.9" | |
bytebuddy = "1.15.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May be more versions need to be reconciled ..
Signed-off-by: Craig Perkins <[email protected]>
My bad, I did not update the bytebuddy or mockito versions to the latest on main. Its fully reconciled now. |
Description
Opening this PR in draft to explore what it will take to enable dependabot to perform automated upgrades on the dependency versions listed in
buildSrc/version.properties
.This issue came up for discussion on my very first PR on the project: #3772.
Dependabot works on version catalogs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle
To test this I pushed to the main branch of my fork and used Dependabot CLI to run dependabot in a dry-run mode where it displays what PRs would be created without actually creating a PR.
To test, I created a sample dependabot configuration like this:
And ran it with
~/go/bin/dependabot update -f ./.github/dependabot_server.yml
See joda update in the output:
Related Issues
Resolves #3782
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.