76026 Centralized dependabot configuration proposal#8
76026 Centralized dependabot configuration proposal#8chihaiaalex wants to merge 2 commits intomainfrom
Conversation
| | Aspect | A: Push (central script) | B: Pull (scheduled action per repo) | | ||
| |--------|--------------------------|--------------------------------------| | ||
| | **Propagation** | Automatic on merge to main | Scheduled (automatic) + manual dispatch | | ||
| | **Latency** | Immediate on merge | Up to schedule interval (e.g. 1 week) | |
| |--------|--------------------------|--------------------------------------| | ||
| | **Propagation** | Automatic on merge to main | Scheduled (automatic) + manual dispatch | | ||
| | **Latency** | Immediate on merge | Up to schedule interval (e.g. 1 week) | | ||
| | **Per-repo setup** | None (just add to `repos.conf`) | One-time: add ~10-line workflow file | |
There was a problem hiding this comment.
Hard to say which one wins. repos.conf is "out of brain context" when creating new repo but just one line. The workflow in each repo would probably use another shared workflow. Maybe a slight win for push.
| | **Latency** | Immediate on merge | Up to schedule interval (e.g. 1 week) | | ||
| | **Per-repo setup** | None (just add to `repos.conf`) | One-time: add ~10-line workflow file | | ||
| | **Failure isolation** | One script, all-or-nothing per run | Each repo independent | | ||
| | **Visibility** | Central — only in the script repo | Distributed — each repo shows its sync workflow and config | |
There was a problem hiding this comment.
It'll be open source, anyway.
| | **Visibility** | Central — only in the script repo | Distributed — each repo shows its sync workflow and config | | ||
| | **Remembering to run** | Automatic on merge | Automatic on schedule | | ||
| | **New repo onboarding** | Add line to `repos.conf` | Add workflow file to repo | | ||
| | **Existing patterns** | New script | Extends existing shared-workflows pattern | |
There was a problem hiding this comment.
Whatever works, man. I guess a very small win for pull.
| | **Remembering to run** | Automatic on merge | Automatic on schedule | | ||
| | **New repo onboarding** | Add line to `repos.conf` | Add workflow file to repo | | ||
| | **Existing patterns** | New script | Extends existing shared-workflows pattern | | ||
| | **Cross-repo permissions** | Script needs PAT/token for all repos | Each repo's GITHUB_TOKEN may suffice (if pushing to own repo) | |
There was a problem hiding this comment.
Developer account PAT should be avoided if we can. I think the AAA story for the push model needs more detail before the push model can be accepted.
There was a problem hiding this comment.
ok, replaced that with a github app, see authentication section for the push model.
| 1. Templates (one per ecosystem: maven, gradle, pip, github-actions-only) and a repo manifest (`repos.conf`) live in a central repo (e.g. `transitdata-shared-workflows`) | ||
| 2. Two triggers via GitHub Actions: | ||
| - **On merge to main**: Automatically runs the distribution to all repos | ||
| - **On PR (dry-run)**: Validates the change before merging — reports for each repo whether it can be applied cleanly, whether PRs would be needed, and flags any merge conflicts |
There was a problem hiding this comment.
We can probably find a tool to validate the Dependabot yaml content in the CI. What other validation can we do?
|
|
||
| ### How it works | ||
|
|
||
| 1. Templates (one per ecosystem: maven, gradle, pip, github-actions-only) and a repo manifest (`repos.conf`) live in a central repo (e.g. `transitdata-shared-workflows`) |
There was a problem hiding this comment.
As I suggested in https://github.com/HSLdevcom/team-infodevops/pull/6/changes#r2924078338 , I would use just one yaml file everywhere.
| │ ├── gradle.yml | ||
| │ ├── pip.yml | ||
| │ └── github-actions-only.yml | ||
| └── repos.conf # repo-name:template mapping |
There was a problem hiding this comment.
Just a list of repos, if using a single YAML for every microservice.
| │ ├── gradle.yml | ||
| │ ├── pip.yml | ||
| │ └── github-actions-only.yml | ||
| └── repos.conf # repo-name:template mapping |
There was a problem hiding this comment.
Alternative design: Push Dependabot to all non-archived repos owned by our team. If something breaks, create a denylist for those repos.
There was a problem hiding this comment.
I don't personally see an issue with adding a single line to a file, each time we need to setup a new repository.
Is not something that we would do too often.
| | **New repo onboarding** | Add line to `repos.conf` | Add workflow file to repo | | ||
| | **Existing patterns** | New script | Extends existing shared-workflows pattern | | ||
| | **Cross-repo permissions** | Script needs PAT/token for all repos | Each repo's GITHUB_TOKEN may suffice (if pushing to own repo) | | ||
| | **Pre-merge validation** | Dry-run on PR with summary report | No built-in validation | |
There was a problem hiding this comment.
The same validation can be run in the shared workflow in the pull model, right?
There was a problem hiding this comment.
Is just you wouldn't know where to check - you can't know all repos using the shared workflow
haphut
left a comment
haphut
left a comment
There was a problem hiding this comment.
Great starting point for discussion! Please answer the comments or modify accordingly.
2 participants
No description provided.