Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert dependency version regression, fix dependabot config #1104

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

leoger
Copy link
Contributor

@leoger leoger commented Jan 21, 2025

Dependabot suggested to change error-prone library to 2.36.0 again in #1089, and it was accepted/merged, which re-breaks the fix that was included in #1083.

In order to prevent future such regressions, I took it upon myself to configure dependabot to ignore certain packages. The documentation is thorough but lacks examples. I found this config in the wild via Github search and it made the usage clear enough.

Then I did some additional research to understand how to make the update PRs less noisy via "groups". Here are a couple of examples of dependabot groups usage in projects that I would expect know what they're doing: 1, 2, 3

Summary by CodeRabbit

  • Dependency Management

    • Updated Dependabot configuration to check for dependency updates weekly
    • Created groups for security, production, and development dependencies
    • Configured specific ignore rules for certain dependency updates
  • Dependency Version

    • Downgraded error-prone tool version

Dependabot changed `error-prone` library to 2.36.0 again in nitrite#1089,
re-breaking the fix that was included in nitrite#1083.

This reverts commit 6902df0.
Copy link
Contributor

coderabbitai bot commented Jan 21, 2025

Walkthrough

The pull request introduces modifications to the Dependabot configuration in .github/dependabot.yml and updates the error-prone dependency version in pom.xml. The Dependabot configuration changes include shifting from daily to weekly update schedules, introducing new dependency update groups for security, production, and development dependencies, and adding an ignore rule for minor version updates of Google Error Prone. The pom.xml change involves downgrading the error-prone tool version.

Changes

File Change Summary
.github/dependabot.yml - Changed update schedule from daily to weekly for Maven and GitHub Actions
- Added ignore rule for minor updates of com.google.errorprone
- Created three new update groups: security, production-dependencies, development-dependencies
pom.xml Downgraded error-prone version from 2.36.0 to 2.31.0

Poem

🐰 Dependabot's weekly dance begins,
Updating dependencies with rabbit grins,
Security patches, grouped with care,
Production, dev updates laid bare,
Error-prone version takes a slight dip,
Dependency management gets a new grip! 🔧


📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b90d63 and bcaebe5.

📒 Files selected for processing (2)
  • .github/dependabot.yml (1 hunks)
  • pom.xml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (14)
  • GitHub Check: Verify GraalVM 21 compatibility on macos-latest
  • GitHub Check: Verify GraalVM 17 compatibility on macos-latest
  • GitHub Check: Verify GraalVM 21 compatibility on windows-latest
  • GitHub Check: Build with Java 17 in Windows
  • GitHub Check: Verify GraalVM 17 compatibility on windows-latest
  • GitHub Check: Build with Java 17 in Ubuntu
  • GitHub Check: Build with Java 11 in Windows
  • GitHub Check: Verify GraalVM 21 compatibility on ubuntu-latest
  • GitHub Check: Codacy Static Code Analysis
  • GitHub Check: Build with Java 11 in Ubuntu
  • GitHub Check: Build with Java 17 in MacOS
  • GitHub Check: Verify GraalVM 17 compatibility on ubuntu-latest
  • GitHub Check: Build with Java 11 in MacOS
  • GitHub Check: Analyze (java)
🔇 Additional comments (4)
.github/dependabot.yml (3)

6-6: LGTM! Reduced update frequency helps manage dependency updates better.

The change from daily to weekly updates for both Maven and GitHub Actions is a good balance between staying up-to-date and reducing noise from frequent updates.

Also applies to: 34-34


8-11: LGTM! Well-configured ignore rule to prevent error-prone regressions.

The ignore rule is correctly configured to prevent minor version updates of error-prone, which aligns with the PR objective to prevent similar regressions in the future.


12-29: LGTM! Well-organized dependency update groups.

The three groups (security, production, and development) are well-structured and will help reduce PR noise by consolidating related updates. The configuration follows best practices by:

  • Prioritizing security updates separately
  • Distinguishing between production and development dependencies
  • Using clear patterns for dependency matching
pom.xml (1)

84-84: LGTM! Well-documented version revert to maintain JDK 11 compatibility.

The revert to error-prone version 2.31.0 is necessary to maintain compatibility with JDK 11, as documented in the comment. This change aligns with the PR objective to fix the dependency version regression.


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@leoger
Copy link
Contributor Author

leoger commented Jan 21, 2025

⚠️ Actually, it occurred to me to go back to #1089 and see whether the CI build passed...

Now I'm confused as to how it built successfully on CI. Maybe there's just something strange about my local dev setup? The release notes for Error Prone 23.1.0 seem pretty clear that it won't build with JDK 11...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant