Skip to content

v0.28.34

v0.28.34: feat: signoff dependency upgrade pr's (#1100)
@iliapolo iliapolo tagged this 02 Oct 19:37 
Ok, this PR started off with me just wanting to add support for signing-off dependency upgrade PR's. This is done by passing the `signoff` argument to the [action](https://github.com/peter-evans/create-pull-request#action-inputs). 

This is necessary for project that want to enable the [DCO](https://github.com/apps/dco) check, i.e every CNCF project.

> For example: https://github.com/cdk8s-team/cdk8s-core/pull/68

The problem is that with the current API, enabling this sign-off would require something like:

```ts
depsUpgrade: DependencyUpgradeMechanism.githubWorkflow({
  signoff: true,
})
```

Which seems fairly ok. Problem is that once we provide a value to `depsUpgrade`, all its default values are no longer being applied, and those defaults are important. So in reality, this would actually require:

```ts
depsUpgrade: DependenciesUpgradeMechanism.githubWorkflow({
  signoff: true,
  ignoreProjen: false,
  workflowOptions: {
    labels: ['auto-approve'],
    secret: 'PROJEN_GITHUB_TOKEN',
    container: {
      image: 'jsii/superchain',
    },
  },
}),
```

Which is really painful. 

One option would be to keep the `DependenciesUpgradeMechanism` API and make it so user defined values are merged with default values, instead of overwriting them. This has some unnatural implications on the implementation, and is starting to become a code smell. 

We've briefly discussed our discontent from the `DependenciesUpgradeMechanism` API in the past and I figured now is a good time to re-evaluate it. 

The simplest and straight-forward API I came up with at the moment looks like so:

```ts
depsUpgrade: true, // not required - just here for demonstration 
depsUpgradeOptions: {
  signoff: true,
},
``` 

Basically the change is to get rid of this custom `DependenciesUpgradeMechanism` class and allow passing its options directly. This is easier to configure since it doesn't require an additional import in `.projenrc`, and is consistent with the API we currently provide for dependabot (i.e [`dependabot`](https://github.com/projen/projen/blob/main/src/node-project.ts#L129) and [`dependabotOptions`](https://github.com/projen/projen/blob/main/src/node-project.ts#L137))

I know we are doing our best to maintain backwards compatibility, but doing so in this case doesn't feel right, it will conflate the configuration too much and introduce awkward and bug prone implementation code. So I opted to break the API and throw an error linking to migration instructions for those who were explicitly configuring `depsUpgrade`. 

In the future we should think of a better way to collapse `dependabot` and `depsUpgrade` to a more ergonomic API.

--------------------

BREAKING CHANGE: `depsUpgrade` is now a `boolean` indicating whether or not to enable dependency upgrades (defaults to `true`). Options that were previously passed to `DependenciesUpgradeMechanism.githubWorkflow()` can now be directly passed to `depsUpgradeOptions`, and options passed to `DependenciesUpgradeMechanism.dependabot()` should be now passed to `dependabotOptions`, which is no longer deprecated. 

---
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Assets 2
Loading