Add dependabot and upgrade golang and dependency versions #3
Conversation
djdongjin
commented
Dec 26, 2024
•
djdongjin
commented
- Add dependabot CI.
- Update golang to 1.21.
djdongjin
force-pushed
the
add-dependabot-ci
branch
3 times, most recently
from
3c46bb8 to
9ba4531
Compare
|
Hi @klihub could you PTAL this PR? thank you! |
djdongjin
force-pushed
the
add-dependabot-ci
branch
from
9ba4531 to
023071a
Compare
djdongjin
changed the title
djdongjin
changed the title
djdongjin
force-pushed
the
add-dependabot-ci
branch
9 times, most recently
from
5cffa2a to
02847f8
Compare
| go.opentelemetry.io/otel v1.29.0 | ||
| go.opentelemetry.io/otel/metric v1.29.0 | ||
| go.opentelemetry.io/otel/sdk v1.29.0 | ||
| go.opentelemetry.io/otel/trace v1.29.0 |
There was a problem hiding this comment.
Since this lib is mainly related to otel, I think we should use relatively newer version of otel libs?
I upgrade to 1.29.0 since that's the latest one requiring go 1.21.
1.30.0 - 1.33.0 all use go 1.22 at least.
Please let me know if the current change is okay, or we should just go to otel 1.33.0 1.31.0 and go 1.22 (same as containerd) .
There was a problem hiding this comment.
I think regarding otel, we should make sure that we don't try to force a newer minimal version than what is in use in containerd or in CRI-O.
There was a problem hiding this comment.
I think regarding otel, we should make sure that we don't try to force a newer minimal version than what is in use in containerd or in CRI-O.
yeah make sense. (and we should apply this to all/most deps? i.e., deps should be lower/equal than the ones in cri-o/containerd).
for otel, containerd is using 1.31.0, cri-o 1.33.0, so bumping to 1.29.0 should be okay?
There was a problem hiding this comment.
Hmm, in 2.x we have 1.31.0 but then on the 1.7.x branch we have 1.21.0. But, I'm not sure if we should care about that... Currently otelttrpc is not used on the 1.7 branch.
There was a problem hiding this comment.
yeah make sense. (and we should apply this to all/most deps? i.e., deps should be lower/equal than the ones in cri-o/containerd).
Yes, I think we should try to use this for all deps.
There was a problem hiding this comment.
But, I'm not sure if we should care about that... Currently otelttrpc is not used on the 1.7 branch.
Yeah I also noticed that. I think we only apply important bug/security fixes for backporting to active branches, so it shouldn't matter? 🤔 but please let me know if there are other concerns.
Yes, I think we should try to use this for all deps.
Agreed. Also on the dependabot change in this PR. I think it's still useful for detecting security issues in deps, we don't need to proactively merge those PRs and we can reduce number of PRs generated. But let me know if we want it or not for go deps :)
djdongjin
force-pushed
the
add-dependabot-ci
branch
from
02847f8 to
0134541
Compare
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
Signed-off-by: Jin Dong <djdongjin95@gmail.com>
djdongjin
force-pushed
the
add-dependabot-ci
branch
from
0134541 to
2d46141
Compare
