Skip to content

Dependency Management Improvements #1145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 20, 2025
Merged

Dependency Management Improvements #1145

merged 4 commits into from
Apr 20, 2025

Conversation

embano1
Copy link
Member

@embano1 embano1 commented Apr 19, 2025
edited
Loading

This PR replaces Dependabot with a custom dependency update workflow to better handle our multi-module repository structure.

Changes:

  • Added a new script (hack/update-deps.sh) to automatically update Go dependencies across all modules
  • Created a GitHub workflow (update-dependencies.yml) that runs weekly to update dependencies and create PRs
  • Modified Dependabot configuration to only handle GitHub Actions updates, as Go dependencies are now managed by our custom workflow
  • Removed stale and broken OpenTelemetry samples that were no longer maintained
  • Updated Go dependencies to latest compatible versions, as well as Go version and toolchain across all modules (go.mod) to 1.23.*
  • Updated README.md to reflect current Go version support (1.23+)

This change provides a more reliable and consistent approach to dependency management across our multi-module repository structure, ensuring all modules stay up-to-date with the latest security patches and improvements.

@embano1 embano1 force-pushed the update-deps branch 2 times, most recently from ccacba5 to 6bc99ed Compare April 19, 2025 09:39
duglin
duglin reviewed Apr 19, 2025
View reviewed changes
hack/update-deps.sh Outdated
# Change to the directory
pushd "$DIR" >/dev/null

# disable go toolchain switching
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious, why do we need this?
If we're using the same go version for everything maybe we should add a script to check to make sure all go.mod files use the same version. Or am I missing something that would prevent that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, sorry I was still working on this :) PR is now ready for review. Couldn't fully test the new script yet because of the "limited" testing capabilities with Github Actions ;) We'll see after merge...

@embano1
chore: add script to easily update go deps
20d9f86 
Signed-off-by: Michael Gasch <15986659+embano1@users.noreply.github.com>
@embano1 embano1 changed the title Update deps Dependency Management Improvements Apr 19, 2025
@embano1 embano1 marked this pull request as ready for review April 19, 2025 19:03
@embano1 embano1 requested a review from a team as a code owner April 19, 2025 19:03
@embano1 embano1 enabled auto-merge April 19, 2025 19:22
@embano1
chore: update go deps
ba37fb7 
Signed-off-by: Michael Gasch <15986659+embano1@users.noreply.github.com>
@embano1 embano1 requested a review from duglin April 20, 2025 07:06
@embano1 embano1 added the dependencies Pull requests that update a dependency file label Apr 20, 2025
embano1 added 2 commits April 20, 2025 09:10
@embano1
chore: replace Dependabot with custom script
44d5395 
Dependabot doesn't properly tidy Go dependencies across the repository
and lacks customization options. We've replaced it with a custom script
that correctly updates and tidies dependencies on a weekly schedule.

Signed-off-by: Michael Gasch <15986659+embano1@users.noreply.github.com>
@embano1
chore: remove stale and broken otel samples
73cbfb1 
Signed-off-by: Michael Gasch <15986659+embano1@users.noreply.github.com>
@duglin
Copy link
Contributor

duglin commented Apr 20, 2025

Will this create a PR even if nothing has changed?

@embano1
Copy link
Member Author

embano1 commented Apr 20, 2025

Will this create a PR even if nothing has changed?

Nope, the action is smart in many ways - no-op is the default.

@embano1
Copy link
Member Author

embano1 commented Apr 20, 2025

I did a dry run in my repo, worked like a charm. Just didn't test if there's a dep change and how the PR will look like. But I used the action in other repos before and worked well.

@embano1
Copy link
Member Author

embano1 commented Apr 20, 2025

Also: should make your life and relationship to Go dep management better 😜

@duglin
Copy link
Contributor

duglin commented Apr 20, 2025

Also: should make your life and relationship to Go dep management better 😜

Sure! Next you'll want me to believe in unicorns

@embano1 embano1 merged commit 75bec0f into cloudevents:main Apr 20, 2025
9 checks passed
@embano1 embano1 deleted the update-deps branch April 21, 2025 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duglin duglin duglin approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@embano1 @duglin