Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve dependabot config and commit the lockfile #120

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

improve dependabot config and commit the lockfile #120

wants to merge 4 commits into from
+3,723 −12

Conversation

danieleades
Copy link
Contributor

commits the Cargo.lock lockfile to version control and updates the dependabot config to limit the 'noise'.

  • committing the lockfile matches the official guidance
  • it provides consistent and deterministic build environments for all contributors and for CI

@danieleades
Copy link
Contributor Author

i expect the tempo and grouping of updates will need some discussion

@codecov Codecov
Copy link

codecov bot commented Jan 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.35%. Comparing base (3615030) to head (c7fb779).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #120   +/-   ##
=======================================
  Coverage   87.35%   87.35%           
=======================================
  Files          32       32           
  Lines        3376     3376           
=======================================
  Hits         2949     2949           
  Misses        427      427
Flag Coverage Δ
cqrs 84.43% <ø> (ø)
mysql 88.69% <ø> (ø)
postgres 65.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@danieleades danieleades force-pushed the better-dependabot branch 2 times, most recently from 02dcdc1 to 54482c9 Compare January 5, 2025 17:00
@danieleades danieleades marked this pull request as draft January 5, 2025 17:06
@danieleades danieleades marked this pull request as ready for review January 6, 2025 15:59
@serverlesstechnology
Copy link
Owner

What is the argument to commit the lock file here? That feels a little awkward in a library (though it may make sense in the demo).

@danieleades
Copy link
Contributor Author

What is the argument to commit the lock file here? That feels a little awkward in a library (though it may make sense in the demo).

There are several arguments, some of which are laid out in this blog post.

Specifically for this project, it means that:

  • different contributors have exactly the same local environment during development
  • the CI environment is using exactly the same dependencies as local development
  • you don't get inadvertent MSRV bumps due to the CI environment resolving newer dependencies than the local lock file
  • the cargo-deny results will match the pinned dependencies until the lock file is updated, not just what happened to get resolved at the time the job ran

The only real downside is a bit more noise from dependabot, but if you like I could add a job for automatically merging dependabot PRs for which all the jobs pass.

Take a look at the config and see if it matches the behaviour you would want. For example I could also make minor updates monthly rather than on demand, etc.

@danieleades
Copy link
Contributor Author

@davegarred i've added a job which will automatically merge dependabot PRs that pass CI, though i recommend configuring the repo to not allow merging PRs that are not up-to-date with main before merging this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danieleades @serverlesstechnology