On Fri, 3 Sept 2021 at 00:16, Olivier Lamy <ol...@apache.org> wrote: > > So what happen here? > If I understand correctly dependabot creates a branch in a fork repository > with a commit then this commit is merged back to the Apache GitHub repo by > a committer. > > In the previous model dependabot created a branch in the Apache GitHub repo > then a committer merged this back to master or any other branch. > > In both case there is a commit by a bot which has been merged by a > committer.. > > What is exactly the difference at the end?
The ASF repo has been changed by a bot. The bot should not be able to update the ASF repo, even if it does so in a separate branch. Maybe we should allow anyone to create their own branch in our repos. So long as the code was not merged into one of our branches, would that be a problem? (Rhetorical question) > On Fri, 3 Sep 2021 at 8:19 am, David Jencks <david.a.jen...@gmail.com> > wrote: > > > After thinking about it for a couple of minutes I’m fully behind Apache > > policy forbidding automated commits to an Apache repository. If Eclipse > > allows such commits I’d rather suspect they haven’t noticed them. > > > > Assuming that dependabot can’t deal with making it’s branch in a separate > > repo it might be possible to make something like this work: > > > > 1. Someone fork the apache repo. > > 2. Use something like > > https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github > > to keep this fork up to date with the Apache repo. > > 3. Run dependabot on this fork. > > > > In these circumstances I’m not sure what the target of the dependabot PR > > would be or, if it’s the fork, how hard it would be to make a PR to the > > Apache repo. > > 4. Do something to apply the dependabot PR/changes to the apache repo. > > > > David Jencks > > > > > On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote: > > > > > > Hi, > > > Really? This sounds like a productivity killer to remove such feature... > > > the bot never write to master branch it just creates a branch and pr > > which > > > need to be validated/merged by a valid committer. > > > FYI eclipse foundation definitely accepts this without problem so I guess > > > we have a similar level of source management. > > > > > > > > > > > > On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com> > > wrote: > > > > > >> I am missing something here: the whole point of dependabot is that it > > >> creates a branch in GitHub, runs a build, and creates a PR. If you like > > the > > >> results, you can click merge, a huge time saver. > > >> > > >> I really don't want to loose this killer feature. > > >> > > >> Gary > > >> > > >> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > > >> > > >>> Third party write access to code repositories is expressly forbidden by > > >>> Foundation policy: > > >>> > > >>> https://infra.apache.org/repository-access.html < > > >>> https://infra.apache.org/repository-access.html> > > >>> > > >>> > > >>> > > >>> Infra has worked with GitHub to prevent dependabot from being able to > > >>> write to our repos, but it appears that it is still able to under some > > >>> circumstances. We will open yet another support case with GitHub > > >> regarding > > >>> this. > > >>> > > >>> Here is an example of a third party commit: > > >>> > > >>> https://github.com/apache/commons-io/pull/264 < > > >>> https://github.com/apache/commons-io/pull/264> > > >>> > > >>> > > >>> > > >> > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E > > >>> < > > >>> > > >> > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E > > >>>> > > >>> > > >>> > > >>> This write access to commons-io appears to be in violation of the > > >>> aforementioned policy. > > >>> > > >>> Dependabot's email alerts are currently the only acceptable method for > > >>> working with the tool. > > >>> > > >>> > > >>> -Chris > > >>> ASF Infra > > >>> > > >>> > > >>> > > >>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> > > >>> wrote: > > >>>> > > >>>> The Apache git repo must be mirrored from Apache to GitHub, for > > example > > >>>> https://github.com/apache/commons-io, then you add a .github folder > > >> and > > >>>> files (see above link). > > >>>> > > >>>> Gary > > >>>> > > >>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> > > >>> wrote: > > >>>> > > >>>>> Thanks Gary and Sebb. > > >>>>> How do I turn dependabot on? Last time I tried I was informed that > > due > > >>> to > > >>>>> the program requiring write permissions to the repository, it wasn’t > > >>>>> possible… > > >>>>> This policy must have changed… > > >>>>> Thanks for any info. > > >>>>> lewismc > > >>>>> > > >>>>> On 2021/08/29 14:42:00 Gary Gregory wrote: > > >>>>>> Most of Apache Common's components' are happy users of Dependabot, > > >>> which > > >>>>> is > > >>>>>> used on our GitHub mirrored repositories. > > >>>>>> > > >>>>>> Gary > > >>>>>> > > >>>>>> > > >>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney < > > lewi...@apache.org > > >>> > > >>>>> wrote: > > >>>>>> > > >>>>>>> Hi builds@, > > >>>>>>> I was advised to ask my question here instead of general@incubator. > > >>>>>>> Thanks for any feedback > > >>>>>>> > > >>>>>>>> I understand that we cannot use automated tooling, specifically > > >>>>> Dependbot > > >>>>>>> ( > > >>>>>>>> https://dependabot.com/) because it requests write access to the > > >> ASF > > >>>>>>>> project source code. > > >>>>>>>> I have found this functionality to be really useful and wondered > > if > > >>>>> there > > >>>>>>>> are any suggestions out there for automating the dependency > > >>>>> management > > >>>>>>>> workflow? > > >>>>>>>> Thanks for any feedback. > > >>>>>>>> lewismc > > >>>>>>> -- > > >>>>>>> http://home.apache.org/~lewismc/ > > >>>>>>> http://people.apache.org/keys/committer/lewismc > > >>>>>>> > > >>>>>> > > >>>>> > > >>> > > >>> > > >> > > > > > > > > > -- > > > Olivier Lamy > > > http://twitter.com/olamy | http://linkedin.com/in/olamy > > > > -- > Olivier Lamy > http://twitter.com/olamy | http://linkedin.com/in/olamy
