Add a lockfile #1337
Draft
Add a lockfile #1337
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From a blank build today. Reasons; - basically https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html - frequently we get cargo deny issues pulled in from under us which we have to explain away - contributor confusion; why does this not build? we don't want them to be the first to notice a breaking build, that's CIs job - we can setup dependabot to auto-merge non-breaking changes that pass CI Downsides: - we still have to manually fix up most cargo deny issues - we might get a lot more PRs, but if most are auto-merged that's ok AFAIU non-breaking builds do not need to get pins updated from `Cargo.toml` so this should mostly be a sanity thing for CI and contributors (rather than forcing everyone to bump the dependencies of us). Signed-off-by: clux <sszynrae@gmail.com>
Signed-off-by: clux <sszynrae@gmail.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1337 +/- ##
=====================================
Coverage 72.1% 72.1%
=====================================
Files 75 75
Lines 6377 6377
=====================================
Hits 4597 4597
Misses 1780 1780 |
|
Re: dependabot, I feel like there should be just a weekly lockfile maintenance which bumps the lockfile to the max dependency versions and not for each dependency individually |
|
We can do that I believe; weekly interval on dependabot with a grouping on "*" |
clux
added
the
question
|
Very 👍 on this from me. |
|
I think this is nice personally also, but we could also get a decent approximation of safety with a daily build. so a couple of things that would be good to get feelings on;
Feel free to leave comments here, but have also added it as an agenda item for tomorrow's meeting :-) |
|
Why not both? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From a blank build today. I personally think this makes sense.
Reasons;
Downsides:
AFAIU non-breaking builds do not need to get pins updated from
Cargo.tomlso this should mostly be a sanity thing for CI and contributors (rather than forcing everyone to bump the dependencies of us).Have setup automatic dependency merging in all other kube repos, but those are binaries so it's less scary / controversial. My experience with these have been very positive however, so feel we should probably do this here also.