Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding dependabot support #780

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

Conversation

moazreyad
Copy link
Contributor

Dependabot is a native tool in github that automatically checks the dependencies of the project and creates pull requests for outdated or insecure dependencies. See how it works from here.

Currently it will analyze only the dependencies defined in pom.xml in SINGA because other dependencies are hard coded in configuration or shell scripts which are not supported by this tool. In future commits, the dependencies will be moved to standard files such as python requirements.txt so that they become available to dependabot and similar tools.

@nudles
Copy link
Member

nudles commented Aug 30, 2020

shall we move all CI functions from travis to github to avoid the duplicated testing?

@moazreyad
Copy link
Contributor Author

shall we move all CI functions from travis to github to avoid the duplicated testing?

Yes, I will create another PR for the work in progress on replacing travis with github actions.

@moazreyad moazreyad marked this pull request as draft August 30, 2020 10:59
@moazreyad moazreyad marked this pull request as ready for review August 30, 2020 17:31
@moazreyad
Copy link
Contributor Author

Both java and python dependencies are enabled now. Dependabot will check python daily and java monthly. It will create a PR for upgrade insecure or outdated dependencies in SINGA like this java PR and this python PR.

notes:

  • Dependabot works only on the master branch. It will be enabled after merging with master.
  • The proposed requirements.txt for python is not complete. Later we need to add all the requirements for all the configurations.

@moazreyad moazreyad requested a review from nudles August 30, 2020 17:37
@nudles
Copy link
Member

nudles commented Sep 27, 2020

let's consider this PR in the next version.
Now we support both conda and pip.
One potential issue is that protocol buffer (PB) is not backward compatible.
If there is a new version of PB, we may have to update many dependent libs to remove the warnings from the dependent bot.

@moazreyad
Copy link
Contributor Author

let's consider this PR in the next version.

Ok. Although we can at least enable the dependabot support and badge, even though we don't resolve the problems that dependabot report. Just like we enabled lgtm but we don't have to fix all its errors, and we enabled codecov but we don't have to test with 100% coverage.

One potential issue is that protocol buffer (PB) is not backward compatible.
If there is a new version of PB, we may have to update many dependent libs to remove the warnings from the dependent bot.

We don't have to update immediately all the dependencies that dependabot found obsolete or insecure. At least we can have the results of the dependency analysis and the singa team can decide the work priorities. The PB team are working now on a release candidate for version 4 and planning to upgrade singa PB to at least version 3 can be useful.

Now we support both conda and pip.

We don't support machine readable requirements that can be found by Github tools. The instructions to installing singa dependencies with pip is only human readable in the web site documentation, or in the conda scripts. We need to extract these dependencies into something like requirements.txt so that Github (and other tools) can find them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants