Hello,

Seems fair to me.

One risk that comes to mind is that people can be away (e.g. on PTO) more than 10 calendar days.
Maybe to mitigate this risk, without changing anything to your proposal, we could also start using GitHub teams, so that the bot (or you) don't ping a single person, but e.g. `@wildfly/hibernate-maintainers`? That way other people get a chance to fill in when the usual person responsible for a component is away. Of course, this only makes sense for cases where there is a person that can fill in :)

Cheers,

Yoann


On Mon, Sep 16, 2024 at 5:30 PM Brian Stansberry <brian.stansberry@redhat.com> wrote:
I'd like to propose we move to a lower touch system for processing dependabot updates.

Currently when dependabot files a PR, wildfly-bot tags various component leads to request a review, and then often I or others tag others. (I typically do this based on quick git grepping of module.xml to find uses.)

And then things often block with no feedback, leading to repeated checking on the PR.

So my proposal is if you are tagged for a review on one of these, you have two weeks to either approve or raise an objection via the GH PR review UI, or put a 'hold' label on the PR and leave a comment explaining why. The latter is basically a way of saying 'give me more time'. Then remove the hold when done.

After 10 calendar days, PRs without objections or 'hold' statements are free to merge.

If your component is the sole user of a particularly dependency and you don't want dependabot managing it, send a PR updating dependabot.yaml.[1]

Thoughts?


--
Brian Stansberry
Principal Architect, Red Hat JBoss EAP
WildFly Project Lead
He/Him/His
_______________________________________________
wildfly-dev mailing list -- wildfly-dev@lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave@lists.jboss.org
Privacy Statement: https://www.redhat.com/en/about/privacy-policy
List Archives: https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message/TPDMKFOYOZV4AMQFZPDG2IX3CIXUVY76/