Occasionally we've thought about turning on
dependabot for the main WildFly repo, and a couple current
discussions (see [1] and [2]) relate to that, so it seems a
good time to discuss further and perhaps take action.
My main concern with dependabot is it doesn't
integrate with JIRA. JIRA is really important to how we're
able to keep a handle on a project as complex as WildFly. And
I think it's important to track component upgrades in JIRA so
our users can keep an eye on what we're providing.
Particularly important in the world of ubiquitous CVE
scanners.
But James Perkins has pointed out that such
JIRA tracking is kind of overkill for non-production
dependencies (e.g. test and build deps) and I agree.
So, how about we turn on dependabot and require
a JIRA to be filed and linked to the PR if the proposed
upgrade is production code dep? For non-production deps a JIRA
would be optional.
The other thing I care about a lot is being
able to grep the git log for commits related to a JIRA. That
would of course be lost for non-production upgrades with no
JIRA. Oh well. Also though dependabot wouldn't put our JIRA in
its commit messages. But for PRs where we file a JIRA we can
require human edit of the dependabot PR title to reference the
JIRA. That will result in the JIRA appearing in the log via
the merge commit Github generates. That solves the git log use
case adequately enough IMO.
Thoughts?
Best
regards,
Brian