Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFD 0001: Tooling Requirements #157

Merged
merged 4 commits into from
Oct 20, 2023
Merged

RFD 0001: Tooling Requirements #157

merged 4 commits into from
Oct 20, 2023

Conversation

fheinecke
Copy link
Contributor

@fheinecke fheinecke requested review from tcsc, camscale and a team August 29, 2023 21:19
rosstimothy
rosstimothy reviewed Aug 29, 2023
View reviewed changes
rfd/0001-tooling-requirements.md Outdated
Comment on lines 141 to 143
Historically this repo has used Dependabot to manage dependency updates. Unfortunately however, Dependabot does not support two key "languages" used by Github Actions: actions themselves (used when building composite actions), and Dockerfiles (used when building Dockerfile actions). As a result, [Renovate](https://docs.renovatebot.com/) will be used for new and migrated projects instead. Renovate is highly flexible and can be configured on a per-project basis.

Renovate will self-hosted and configured to run every 12 hours. Updates for each project should be grouped as much as reasonably possible to reduce the number of PRs opened at any given time. Update PRs will be assigned to code owners for each project. Digest pinning will be used wherever supported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW we had nothing but problems using renovate to manage dependencies in gravitational/teleport. I would use dependabot, especially now that is has support for grouping PRs, where possible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh really? I've had the opposite problem (dependabot not working as needed where renovate does) on the cloud-terraform repo (which now uses self-hosted Renovate) , and just a few minutes ago on the cloud repo.

What issues have there been with Renovate on gravitational/teleport?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • It was updating the indirect dependencies even though we didn't opt in to the behavior and it's supposed to be disabled by default
  • It pushed updates for major versions even though we explicitly set the disableMajorUpdates preset
  • It didn't always remove the old version as reported and ignored in Go module update didn't remove the old version renovatebot/renovate#19660
  • It sometimes seemed to make up versions that didn't exist

wadells
wadells reviewed Aug 30, 2023
View reviewed changes
Copy link
Contributor

@wadells wadells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting this together!

I've added a first round of quick thoughts. I need to mull over the differences/commonalities between internal golang tooling and our common github actions before I can comment on the structure and requirements.

rfd/0001-tooling-requirements.md Outdated Show resolved Hide resolved
rfd/0001-tooling-requirements.md Show resolved Hide resolved
r0mant
r0mant approved these changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall proposal lgtm with a couple of questions, I think @camscale and @tcsc need to review this as well.

rfd/0001-tooling-requirements.md Outdated Show resolved Hide resolved
rfd/0001-tooling-requirements.md Show resolved Hide resolved
tcsc
tcsc reviewed Oct 17, 2023
View reviewed changes
Copy link

@tcsc tcsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I would like to see section/example showing how the tooling in this is going to be consumed by other projects.

rfd/0001-tooling-requirements.md Show resolved Hide resolved
orca-security-us[bot]
orca-security-us bot reviewed Oct 20, 2023
View reviewed changes
Copy link

@orca-security-us orca-security-us bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Failed Failed Vulnerabilities high 1   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca

@fheinecke fheinecke merged commit ce71bd4 into main Oct 20, 2023
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orca-security-us orca-security-us[bot] orca-security-us[bot] left review comments

@rosstimothy rosstimothy rosstimothy left review comments

@zmb3 zmb3 zmb3 left review comments

@tcsc tcsc tcsc left review comments

@wadells wadells wadells left review comments

@r0mant r0mant r0mant approved these changes

@camscale camscale Awaiting requested review from camscale

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@fheinecke @wadells @r0mant @tcsc @zmb3 @rosstimothy