-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Project Health] Dependency upgrade process #4682
Comments
I think docker image update is a good first candidate, because it is of low possibility to break us on upgrade, also we need the timely vulnerability fixes coming from it. |
There are several main areas that might need updating:
For python (SDK and Visualizations) we already have update scripts. |
@Bobgy Regarding the docker tags, it seems dependabot can already do this. Edit: I just saw that the dependency was in a |
@Bobgy I've created a script that will scan the repository for files named As it stands now, there are about 130 PRs that will be created with this configuration, so it might be advisable to have some form of plan to implement it in stages or be ready to quickly go through lots of the PRs. Another option is to create a target branch for all these PRs so they can be merged into that first rather than master. |
For reference, the PRs that will be created can be seen here: https://github.com/DavidSpek/pipelines/pulls |
To add to the above PRs, by default the dependabot security alerts can only be seen by repo admins. While I understand it might not be desirable to have this information be public (although all it takes is forming the repo to find out), I do think it is important that WG members are able to see the security alerts so they can quickly see what dependabot PRs have a high priority for being merged. I'm not sure how this would work wrt https://github.com/kubeflow/internal-acls, but here are the instructions to do it through the UI: |
@Bobgy, I could be wrong but I believe my PR covers the entire scope of what was described in the original post. If you agree I will change the PR so that it links to this issue and can close it when it gets merged. |
The dashboard is live! |
A remaining configuration thing to discuss is, do we want to pin our dependencies? There are two approaches:
EDIT: if we want to choose 1, we should enable I tend to stay with 1 first, because that's our existing approach. |
Hmm, something doesn't look right. After making this configuration only webdriverio/wdio-selenium-standalone-service, webpack/webpack were updated in npm patch PR. Revising again based on https://docs.renovatebot.com/configuration-options/#rangestrategy |
FWIW I recommend against retaining ranges in |
@rarkins I can see your point, for clarification, we will unnecessarily have specific reasons to stick to certain version of a library for some time. I'd hope such a decision can be represented in a form not coupled to renovate, so that e.g.
If we pin all versions in |
In fact, even with rangeStrategy=update-lock, version update is still very visible thanks to Renovate: #5071. |
TODO: set up a process so people periodically come and fix upgrade problems. |
@Bobgy Any update how Renovate has been working out? Or has everybody been to busy with the upcoming release to go through the dependency updates? |
Yes, everyone has been busy. Will try to resume after release. Anyway, I feel that the dashboard is very helpful. It allowed us to integrate at our own pace. |
Is there a way to allow repository owners (or rather people listed in the OWNERS file) to edit issues? For |
I think the plan is to move notebooks code to kubeflow/notebooks repo, where they can get write permission |
Great! The way I had envisioned the management of the notebook images relies heavily on Renovate and setting that up without the Dependency Dashboard approval feature complicates things a lot as you can image. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
/lifecycle frozen |
Closing this issue. No activity for more than a year. /close |
@rimolive: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
KFP has many dependencies like
Benefits of updating these on a timely manner:
We could stop pinning image versions to try getting above benefits, but this approach makes KFP repo non-deterministic. Tests may start to fail suddenly with no clue when some images released a new tag.
The best long term solution I can imagine is:
We'll likely need to set this up for each type of dependency.
A script that programmatically update a dependency is of higher priority, because so far update efforts have been highly manual and time-costing.
In this approach,
The text was updated successfully, but these errors were encountered: