ci: Simply renovate bot config to only propose google sdk, testing, and ci dep updates#4155
ci: Simply renovate bot config to only propose google sdk, testing, and ci dep updates#4155
Conversation
…nd ci dep updates
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request streamlines the Renovate bot's operation by narrowing its scope of dependency monitoring. The changes aim to alleviate quota issues and improve the dependency dashboard's functionality by focusing automated updates solely on critical areas such as testing, CI/CD, and core Google SDK components. This shift supports a more controlled, ad-hoc approach for other dependency upgrades. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request simplifies the Renovate bot configuration to reduce the number of proposed dependency updates, addressing quota issues. The approach of disabling all updates by default and then selectively enabling specific groups of dependencies (like testing libraries, Google SDKs, and CI/CD tools) is a good simplification. The change also enables vulnerability alerts, which is a great security improvement. I've left one comment regarding the potential loss of specific semanticCommitType configurations for some dependency groups, which might affect commit message consistency.
|
|
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request simplifies the Renovate bot configuration to reduce the number of proposed dependency updates. The approach of disabling all updates by default and then selectively enabling specific categories is a good simplification. My review focuses on ensuring the new configuration aligns with the stated goal of updating only Google SDK, testing, and CI dependencies.
I've identified two potential issues:
- The regex for
dependencies.txtis very broad and will enable updates for all dependencies in that file, including many third-party libraries, which seems to contradict the PR's goal. - Some Google SDK-related dependencies for the GAPIC generator appear to be unintentionally disabled by the new configuration.
Please see my detailed comments in the code.
| "dependencies.txt" | ||
| ], | ||
| "matchStrings": [ | ||
| "(?<depName>.*),(.*)=(?<currentValue>.*)" |
There was a problem hiding this comment.
The regex (?<depName>.*) is very broad and will match all dependencies in dependencies.txt, including many third-party libraries (e.g., slf4j, jackson, httpcomponents).
Given the PR's goal is to "only propose google sdk, testing, and ci dep updates", this might generate more update PRs than intended. Previously, other rules might have disabled some of these, but with the new "disable all, then enable specific" structure, this rule for dependencies.txt will enable updates for everything in that file.
If the intention is to limit updates to Google-related dependencies from this file, consider making the regex more specific. For example, the suggestion below would limit matches to dependencies from com.google.*, io.grpc.*, and dev.cel.* group IDs. Please adjust the regex to match the intended scope.
| "(?<depName>.*),(.*)=(?<currentValue>.*)" | |
| "(?<depName>(?:com\\.google|io\\.grpc|dev\\.cel).*),.*=(?<currentValue>.*)" |
| } | ||
| ] | ||
| } | ||
| ], |
There was a problem hiding this comment.
The new configuration disables updates for all packages by default, and then selectively re-enables them. It seems that updates for com.google.cloud:gapic-generator-java-transport and com.google.cloud:gapic-generator-java-rest-numeric-enums, which are tracked via a regex manager on rules_java_gapic/java_gapic.bzl, are now disabled as they are not re-enabled by any rule.
Given that the PR intends to keep "google sdk" updates, was this intentional? If not, you might want to add a new package rule to re-enable them, for example:
{
"matchPackageNames": [
"com.google.cloud:gapic-generator-java-transport",
"com.google.cloud:gapic-generator-java-rest-numeric-enums"
],
"groupName": "GAPIC Generator Dependencies",
"enabled": true,
"semanticCommitType": "chore",
"semanticCommitScope": "deps"
}1 participant
Renovate bot is hitting quota issues and the dependency dashboard does not work. Configure renovate bot to only propose a subset of dependencies (we already ignore dep upgrade PRs and manually create them ad-hoc when needed).
This config can be updated as we discover more deps to upgrade.