gh: Use renovate to update dependencies #9850
Conversation
This change moves github actions updating to renovate and adds monitoring of vendored dependencies as well as automatically providing the code needed for the update.
CT Test Results 3 files 142 suites 49m 49s ⏱️ Results for commit d813159. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
| "\"downloadLocation\"\\s*:\\s*\"https://github.com/(?<depName>[^/]+/[^/\"]+)\"[\\s\\S]*?\"versionInfo\"\\s*:\\s*\"(?<currentValue>[^\"]+)\"" | ||
| ], | ||
| "datasourceTemplate": "github-tags", | ||
| "depNameTemplate": "{{{depName}}}" |
There was a problem hiding this comment.
| "depNameTemplate": "{{{depName}}}" | |
| "depNameTemplate": "{{depName}}" |
| @@ -10,7 +10,7 @@ | |||
| "ID": "erts-pcre2", | |||
| "description": "PCRE2 library", | |||
| "copyrightText": "NOASSERTION", | |||
| "downloadLocation": "git+https://github.com/PCRE2Project/pcre2.git", | |||
| "downloadLocation": "https://github.com/PCRE2Project/pcre2", | |||
| else | ||
| git commit -m "Update vendored dependencies per vendor.info" | ||
| fi | ||
| echo "✅ Pushing $(git rev-parse HEAD) to $(git for-each-ref --format='%(push:short)' refs/heads/$(git symbolic-ref --short HEAD))" |
There was a problem hiding this comment.
the format option %(push:short) may not display anything at all. I think we should go for something that displays where things are going to be pushed.
In my setup, I get the pushing to but empty string in the to parameter.
| git commit -m "Update vendored dependencies per vendor.info" | ||
| fi | ||
| echo "✅ Pushing $(git rev-parse HEAD) to $(git for-each-ref --format='%(push:short)' refs/heads/$(git symbolic-ref --short HEAD))" | ||
| git push |
There was a problem hiding this comment.
if we want to test this script locally, maybe it makes sense to add an option / env var to specify that no remote action will be taken? I mention this because the SBOM is already split between ORT and REUSE scripts, and getting an SBOM locally is not a one-command line, i.e., one needs to read the main.yml to see how things execute on github to be able to reproduce them locally.
I would like to be able to test things locally as well, gaining reproducibility
| @@ -76,24 +79,26 @@ incorporate them into to_chars.h. | |||
|
|
|||
| Once done, update xcharconv_ryu.h.sha with the new sha. i.e. | |||
|
|
|||
| echo "${STL_SHA}" > ${ERL_TOP}/erts/emulator/ryu/xcharconv_ryu.h.sha | |||
| echo "${STL_CHARCONV_SHA}" > ${ERL_TOP}/erts/emulator/ryu/xcharconv_ryu.h.sha | |||
There was a problem hiding this comment.
if the update-vendored-deps.sh is going to run the updates, then some script should do this update for the ${ERL_TOP}/erts/emulator/ryu/xcharconv_ryu.h.sha, isn't it?
| ## Update vendor info | ||
| COMMENTS=$(cat vendor.info | grep "^//") | ||
| NEW_VENDOR_INFO=$(cat vendor.info | grep -v "^//" | jq "map(if .ID == \"erts-ryu\" then .versionInfo = \"${SHA}\" | .sha = \"${SHA}\" else . end)") | ||
| NEW_VENDOR_INFO=$(echo "${NEW_VENDOR_INFO}" | jq "map(if .ID == \"erts-ryu-to_chars\" then .versionInfo = \"${STL_VSN}\" | .sha = \"${STL_SHA}\" else . end)") | ||
| NEW_VENDOR_INFO=$(echo "${NEW_VENDOR_INFO}" | jq "map(if .ID == \"ryu-to_chars\" then .versionInfo = \"${STL_VSN}\" | .sha = \"${STL_SHA}\" else . end)") |
There was a problem hiding this comment.
I think we should document somewhere how the update scripts work, overall, and not just ryu.
- If someone wants to update vendor dependencies, we should document that this can be done calling
update-vendored-deps.shinstead of each individualupdate.shfile, - that a
.githubtokenfile must exist "somewhere" as a requirement, in order to run it locally, - that
update.shfiles will do a commit and update thevendor.infofiles, - the
<vendor>.shais there only for documentation purposes, and update-vendored-deps.shshould run in local mode if you run it outside Github CI/CD, which avoids pushing to remote (default flag should be to run without push, so that only when we run in Github CI/CD we pass the flag to push, which is safer default than the opposite).
Maybe I am overthinking this, but there is a connection between scripts that we will forget with time.
If the scripts do not work, we should understand how to fix it in 1 min and its connection
| /* | ||
| %CopyrightBegin% | ||
|
|
||
| SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| Copyright Ericsson AB 2025. All Rights Reserved. | < 8000 /tr>||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
|
|
||
| %CopyrightEnd% | ||
| */ |
There was a problem hiding this comment.
This file may need to be added to the documentation mentioned before.
Simply because we hard-code vendor names, which means that the addition of any new vendor library must update this file as well. Without this being written down, we will surely forget (we will possibly forget even if written down, but at least there are steps on how to proceed)
There was a problem hiding this comment.
We should also mention that this runs as a Github App, instead of CI action.
This change moves github actions updating to renovate and adds monitoring of vendored dependencies as well as automatically providing the code needed for the update.