Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce noise from renovate #79

Open
NoxHarmonium opened this issue Aug 12, 2022 · 3 comments
Open

Reduce noise from renovate #79

NoxHarmonium opened this issue Aug 12, 2022 · 3 comments
Labels
tech-debt Does not affect the end user, but impedes development of the plugin

Comments

@NoxHarmonium
Copy link
Contributor

Some libraries like aws-sdk get tiny updates every day. This leads to a lot of PRs being created, a lot of Github notifications and lots of build hours.

I'm on the fence on whether we:

  1. Just deal with the noise (e.g. put in inbox rules to stash away dependency update PRs into a special folder which is easier to ignore)
  2. Batch up the updates into a weekly digest (or similar)

Option 1 is good because we will get critical security updates as soon as possible and the we reduce the risk of having to disentangle a PR that fails where multiple dependencies were updated.

Option 2 is good to reduce the number of build hours we consume and less noise means we can probably find more time to actually review what is getting updated

I think we just leave it for now but happy to update the renovate config if anyone else thinks its a good idea. Otherwise I might just close this after a while.
@dspasojevic
Copy link
Contributor

We can safely configure renovate to batch updates to 1x or 2x per week. I don't remember if renovate allows you to break the schedule for updates that address CVEs.

It is somewhat academic, because we aren't managing CVEs actively anyway, but it would be interesting to know how it would work.

@NoxHarmonium
Copy link
Contributor Author

Oh I just realised that open source repos seem to get unlimited build hours.

From https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions

GitHub Actions usage is free for both public repositories and self-hosted runners.

That seems to good to be true. I guess that is a point in favour of just leaving the renovate config.

@NoxHarmonium
Copy link
Contributor Author

NoxHarmonium commented Aug 12, 2022
edited
Loading

We can safely configure renovate to batch updates to 1x or 2x per week. I don't remember if renovate allows you to break the schedule for updates that address CVEs.

It looks like you can actually provide a different config if there are vulnerability alerts which is cool:

E.g.

{
  "vulnerabilityAlerts": {
    "labels": ["security"],
    "automerge": true,
    "assignees": ["@rarkins"]
  }
}

https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts

renovatebot/renovate#1567

It uses Github's security tracker. I don't like the sound this though:

There's a small chance that an incorrect vulnerability alert could result in flapping/looping vulnerability fixes, so observe carefully if enabling automerge.

I guess if we wanted to be more serious about tracking vulnerability we might use something like the free version of https://snyk.io

@NoxHarmonium NoxHarmonium added the tech-debt Does not affect the end user, but impedes development of the plugin label Aug 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tech-debt Does not affect the end user, but impedes development of the plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dspasojevic @NoxHarmonium