Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot weekly to daily #9

Closed
wants to merge 274 commits into from

Conversation

mantrachain-support
Copy link

@mantrachain-support mantrachain-support commented Sep 20, 2024

Description

Dependabot doesn't really do much upstream, this change will make it run more often and help in verifying that it actually runs. My understanding is that it only runs on main with very limited use on release/v0.50.x


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • run make lint and make test
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

Summary by CodeRabbit

  • Chores
    • Updated the package update schedule from weekly to daily for various ecosystems, enhancing the frequency of dependency updates.

Copy link

coderabbitai bot commented Sep 20, 2024

Walkthrough

The pull request modifies the .github/dependabot.yml configuration file to change the update schedule for various package ecosystems from a weekly to a daily frequency. This adjustment applies to multiple directories, specifically affecting the npm and gomod ecosystems, with gomod including specific days and times for updates, while npm specifies only a daily interval.

Changes

File Change Summary
.github/dependabot.yml Updated update interval from "weekly" to "daily" for npm and gomod across multiple directories. Specific days and times are set for gomod, while npm has a general daily schedule.

Possibly related PRs

  • fix: make dependabot update all workflow dispatch #127: The changes in this PR also involve Dependabot configurations, specifically altering the workflow trigger, which relates to the overall management of package updates similar to the update interval changes in the main PR.

Suggested reviewers

  • AaronForce1

Poem

🐰 In the garden of code, where packages bloom,
Daily updates now chase away gloom.
With nimble hops, our dependencies play,
Keeping bugs at bay, come what may!
So let’s dance in the light, with joy we shall sway! 🌼


Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 3e68662 and 2945ca8.

Files selected for processing (1)
  • .github/dependabot.yml (21 hunks)
Files skipped from review as they are similar to previous changes (1)
  • .github/dependabot.yml

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share
Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    -- I pushed a fix in commit <commit_id>, please review it.
    -- Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    -- @coderabbitai generate unit testing code for this file.
    -- @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    -- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    -- @coderabbitai read src/utils.ts and generate unit testing code.
    -- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    -- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 8529343 and 3e68662.

Files selected for processing (1)
  • .github/dependabot.yml (21 hunks)
Additional comments not posted (8)
.github/dependabot.yml (8)

15-15: LGTM!

Updating docs dependencies daily aligns with the PR objective and is unlikely to cause issues.


39-41: Looks good!

Updating test dependencies daily on Mondays provides a frequent and predictable update cadence without likely disruptions.


57-59: Verify the impact of daily updates on data consistency.

ORM dependencies are sensitive to breaking changes that could impact the database layer and introduce data inconsistencies, especially during migrations. While the change aligns with the PR objective, please ensure that daily updates are thoroughly verified to maintain data integrity.

Consider adding a data consistency check step in the CI pipeline when ORM dependencies are updated. This could involve:

  1. Standing up a test database
  2. Running migrations
  3. Inserting sample data
  4. Verifying data integrity through queries and consistency checks

This will help catch any breaking changes that could corrupt data before merging the Dependabot PR.


75-77: Looks good to me!

Dependency injection frameworks are less likely to have frequent breaking changes. Daily updates for this directory are unlikely to cause major issues and align with the PR objective.


84-86: LGTM!

Error handling dependencies are less likely to have frequent breaking changes. Daily updates for this directory are unlikely to cause major issues and align with the PR objective.


93-95: Looks good!

Math dependencies are less likely to have frequent breaking changes. Daily updates for this directory are unlikely to cause major issues and align with the PR objective.


211-213: LGTM!

Logging dependencies are less likely to have frequent breaking changes. Daily updates for this directory are unlikely to cause major issues and align with the PR objective.


48-50: Verify the impact of daily updates on API stability.

API dependencies are more sensitive to breaking changes. While the change aligns with the PR objective, please ensure that daily updates won't introduce instability.

Consider running the following script to analyze the historical frequency and impact of breaking changes in API dependencies:

If the analysis reveals frequent breaking changes, consider reducing the update frequency or putting additional verification steps in place.

Comment on lines +102 to 104
interval: daily
day: wednesday
time: "01:50"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider a more conservative update frequency for client dependencies.

Client dependencies are user-facing and more sensitive to breaking changes. Daily updates may introduce compatibility issues or unexpected behavior if not properly verified.

Given the sensitivity of client dependencies, consider a more conservative update frequency, such as weekly or biweekly, to balance the benefits of staying up-to-date with the risk of introducing compatibility issues.

For example:

- interval: daily  
- day: wednesday
+ interval: weekly

Alternatively, if you proceed with daily updates, ensure that there is a comprehensive compatibility testing suite in place to catch any breaking changes before merging the Dependabot PR. This should include testing the client against a matrix of supported server versions.

Committable suggestion was skipped due to low confidence.

Comment on lines +66 to 68
interval: daily
day: thursday
time: "01:30"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider a more conservative update frequency for core dependencies.

Core dependencies are critical and more sensitive to breaking changes. Daily updates may introduce instability or unexpected behavior if not properly verified.

Given the sensitivity of core dependencies, consider a more conservative update frequency, such as weekly or biweekly, to balance the benefits of staying up-to-date with the risk of introducing instability.

For example:

- interval: daily
- day: thursday
+ interval: weekly

Alternatively, if you proceed with daily updates, ensure that there is a comprehensive regression testing suite in place to catch any breaking changes before merging the Dependabot PR.

Committable suggestion was skipped due to low confidence.

dependabot bot and others added 27 commits September 20, 2024 12:53
Bumps [autoprefixer](https://github.com/postcss/autoprefixer) from 10.4.14 to 10.4.20.
- [Release notes](https://github.com/postcss/autoprefixer/releases)
- [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md)
- [Commits](postcss/autoprefixer@10.4.14...10.4.20)

---
updated-dependencies:
- dependency-name: autoprefixer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.5.0 to 1.0.2.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](actions/add-to-project@v0.5.0...v1.0.2)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Mantrachain Development Support <security@mantrachain.io>
Signed-off-by: Mantrachain Development Support <security@mantrachain.io>
fix: sdk ci bump go and sync with upstream
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.9.0 to 0.23.0.
- [Commits](golang/net@v0.9.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.64.1 to 1.67.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.64.1...v1.67.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cosmossdk.io/errors](https://github.com/cosmos/cosmos-sdk) from 1.0.0-beta.7 to 1.0.1.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@errors/v1.0.0-beta.7...math/v1.0.1)

---
updated-dependencies:
- dependency-name: cosmossdk.io/errors
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk) from 0.50.6 to 0.50.10.
- [Release notes](https://github.com/cosmos/cosmos-sdk/releases)
- [Changelog](https://github.com/cosmos/cosmos-sdk/blob/main/CHANGELOG.md)
- [Commits](cosmos/cosmos-sdk@v0.50.6...v0.50.10)

---
updated-dependencies:
- dependency-name: github.com/cosmos/cosmos-sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
fix: make dependabot update all workflow dispatch
…t/v2/github.com/cosmos/cosmos-sdk-0.50.10

build(deps): Bump github.com/cosmos/cosmos-sdk from 0.50.6 to 0.50.10 in /client/v2
…grant/github.com/cosmos/cosmos-sdk-0.50.10

build(deps): Bump github.com/cosmos/cosmos-sdk from 0.50.6 to 0.50.10 in /x/feegrant
mantrachain-support and others added 26 commits September 21, 2024 20:57
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.1 to 1.20.4.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](prometheus/client_golang@v1.20.1...v1.20.4)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…b.com/prometheus/client_golang-1.20.4

build(deps): Bump github.com/prometheus/client_golang from 1.20.1 to 1.20.4
…e.golang.org/grpc-1.67.0

build(deps): Bump google.golang.org/grpc from 1.64.1 to 1.67.0
…dabot/go_modules/x/evidence/cosmossdk.io/depinject-1.0.0
…ence/cosmossdk.io/depinject-1.0.0

build(deps): Bump cosmossdk.io/depinject from 1.0.0-alpha.4 to 1.0.0 in /x/evidence
…dabot/go_modules/depinject/gotest.tools/v3-3.5.1
….com/gorilla/mux-1.8.1

build(deps): Bump github.com/gorilla/mux from 1.8.0 to 1.8.1
…ect/gotest.tools/v3-3.5.1

build(deps): Bump gotest.tools/v3 from 3.4.0 to 3.5.1 in /depinject
….com/bits-and-blooms/bitset-1.14.3

build(deps): Bump github.com/bits-and-blooms/bitset from 1.8.0 to 1.14.3
…confix/github.com/creachadair/tomledit-0.0.26

build(deps): Bump github.com/creachadair/tomledit from 0.0.24 to 0.0.26 in /tools/confix
….org/x/crypto-0.27.0

build(deps): Bump golang.org/x/crypto from 0.26.0 to 0.27.0
…/hubl/github.com/cosmos/cosmos-sdk-0.50.10

build(deps): Bump github.com/cosmos/cosmos-sdk from 0.50.6 to 0.50.10 in /tools/hubl
…ithub/issue-labeler-3.4

build(deps): Bump github/issue-labeler from 3.1 to 3.4
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the Stale label Jan 10, 2025
@github-actions github-actions bot closed this Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants