-
-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a lockfile #1337
base: main
Are you sure you want to change the base?
Add a lockfile #1337
Conversation
From a blank build today. Reasons; - basically https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html - frequently we get cargo deny issues pulled in from under us which we have to explain away - contributor confusion; why does this not build? we don't want them to be the first to notice a breaking build, that's CIs job - we can setup dependabot to auto-merge non-breaking changes that pass CI Downsides: - we still have to manually fix up most cargo deny issues - we might get a lot more PRs, but if most are auto-merged that's ok AFAIU non-breaking builds do not need to get pins updated from `Cargo.toml` so this should mostly be a sanity thing for CI and contributors (rather than forcing everyone to bump the dependencies of us). Signed-off-by: clux <[email protected]>
Signed-off-by: clux <[email protected]>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1337 +/- ##
=====================================
Coverage 72.1% 72.1%
=====================================
Files 75 75
Lines 6377 6377
=====================================
Hits 4597 4597
Misses 1780 1780 |
Re: dependabot, I feel like there should be just a weekly lockfile maintenance which bumps the lockfile to the max dependency versions and not for each dependency individually |
We can do that I believe; weekly interval on dependabot with a grouping on "*" |
Very 👍 on this from me. |
I think this is nice personally also, but we could also get a decent approximation of safety with a daily build. so a couple of things that would be good to get feelings on;
Feel free to leave comments here, but have also added it as an agenda item for tomorrow's meeting :-) |
Why not both? |
From a blank build today. I personally think this makes sense.
Reasons;
Downsides:
AFAIU non-breaking builds do not need to get pins updated from
Cargo.toml
so this should mostly be a sanity thing for CI and contributors (rather than forcing everyone to bump the dependencies of us).Have setup automatic dependency merging in all other kube repos, but those are binaries so it's less scary / controversial. My experience with these have been very positive however, so feel we should probably do this here also.