One more idea that I forgot to mention: We can have the Dependabot to automatically create a pull request whenever a vulnerability is discovered.
On Wed, Jul 14, 2021 at 8:42 AM Wei-Chiu Chuang <weic...@cloudera.com> wrote: > So this is just up for discussion and welcome more brainstorming. I'm not > saying I'll go ahead with adding them immediately :) > Appreciate comments especially from those who have already used those > tools and had success with them. > > On the GitHub add-ons, > > There are a number of GitHub apps that looks useful. > > https://github.com/marketplace/actions/close-stale-issues > this one closes stale issues and PRs. > > <http://goog_1684011596> > https://github.com/marketplace/commit-message-lint > ensure commit message format. Not sure if it applies to user-level or > project-level, I imagine it can enforce each commit to have a JIRA id in > the message. > > and a number of code coverage tools. > > As for the effort, > Ozone runs SonarQube check in post-commit. It doesn't "fail" your > precommit check. I just uploads the results to SonarCloud. Anyone > interested can look up the report there. > Here is an example: https://sonarcloud.io/dashboard?id=hadoop-ozone > > > > On Tue, Jul 13, 2021 at 9:32 PM Ahmed Hussein <a...@ahussein.me> wrote: > >> Hi Wei-Chu, >> >> Thanks for sharing your experience working on other projects. >> The Jira related suggestions sound very useful. The extra fields work >> very good for us in our internal Jira system at Yahoo. >> In addition to your suggestions, is it possible revisit the >> labels/components in Jira. If we can set a quick guide on how to label the >> most >> common types of Jiras, then this will be of a great help to browse the >> system. >> >> Regarding the Webhook and GitHub related suggestions, I am a little bit >> concerned about the extra work it will add compared >> to their benefits. >> >> - Credit goes to all the contributors who work on maintaining Yetus and >> the CI/CD for the current branches. >> Do we have any bandwidth to support the new GitHub webhooks? >> - Just for discussion: is Integrating SonarQube worth the effort of >> supporting the GitHub webhooks. SonarQube >> is a double edge weapon and it needs dedicated man hours to weed out >> the way through the reports. >> >> On Mon, Jul 12, 2021 at 11:18 PM Wei-Chiu Chuang <weic...@apache.org> >> wrote: >> >>> Here's another one: >>> >>> We can update the JIRA workflow and add more state. For example, >>> Cassandra >>> has "Review in Progress" and "Need Reviewer" states. INFRA-22049 >>> <https://issues.apache.org/jira/browse/INFRA-22049> >>> >>> On Tue, Jul 13, 2021 at 11:34 AM Wei-Chiu Chuang <weic...@apache.org> >>> wrote: >>> >>> > I work on multiple projects and learned a bunch from those >>> projects.There >>> > are nice add-ons that help with productivity. There are things we can >>> do to >>> > help us manage the project better. >>> > >>> > 1. Add new issue types. >>> > We can add "Epic" jira type to organize a set of related jiras. This >>> could >>> > be easier to manage than using a regular JIRA and call it "umbrella". >>> > >>> > 2. GitHub Actions >>> > I am seeing more projects moving to GitHub Actions for precommits. We >>> > don't necessarily need to migrate off Jenkins, but there are nice >>> add-ons >>> > that can perform static analysis, catching potential issues. For >>> example, >>> > Ozone adds SonarQube to post-commit, and exports the report to >>> SonarCloud. >>> > Other add-ons are available to scan for docker images, vulnerabilities >>> > scans. >>> > >>> > 3. JIRA security >>> > It is possible to set up security level (public/private) in JIRA. This >>> can >>> > be used to track vulnerability issues and be made only visible to >>> > committers. Example: INFRA-15258 >>> > <https://issues.apache.org/jira/browse/INFRA-15258> >>> > >>> > 4. New JIRA fields >>> > It's possible to add new fields. For example, we can add a "Reviewer" >>> > field, which could help improve the attention to issues. >>> > >>> > 5. Doc update >>> > It is possible to set up automation such that the doc on the Hadoop >>> > website is refreshed for every commit, providing the latest doc to the >>> > public. >>> > >>> > 6. Webhook >>> > It's possible to set up webhook such that every commit in GitHub sends >>> a >>> > notification to the ASF slack. It can be used for other kinds of >>> > automation. Sky's the limit. >>> > >>> > Thoughts? What else can do we? >>> > >>> >> >> >> -- >> Best Regards, >> >> *Ahmed Hussein, PhD* >> >
