Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: warn on outdated top level dependencies #757

Merged
merged 6 commits into from
Oct 31, 2024
Merged

Conversation

0xaatif
Copy link
Contributor

@0xaatif 0xaatif commented Oct 29, 2024

Part of #746

Need to transform cargo-outdated's output to github's warning format.
Didn't fancy coming up with some jq to do it - let's use a real programming language :)
This isn't strictly "secure", as we only lint dependencies we ourselves specify in Cargo.toml, not our transitive deps.
But that's a huge list and we should sort that later.

We should probably move our other monster bash scripts to rust anyway.

Works a treat:
image

Copy link
Member

@atanmarko atanmarko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very inventive solution to to cargo outdated problem.

@atanmarko
Copy link
Member

atanmarko commented Oct 29, 2024

Not sure if we care about every bug fix version change of every dependency, is it too aggressive to warn about that as outdated dependency?

@0xaatif
Copy link
Contributor Author

0xaatif commented Oct 29, 2024

Not sure if care about every bug fix version change of every dependency, is it too aggressive to warn about that as outdated dependency?

It's a fair concern. I think we do care about patch version bumps because they could be security fixes (depending on the package policy)

runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: you could probably use @v4 here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update all of these at once: #759

steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/rust
- uses: taiki-e/install-action@v2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I am starting to feel just slightly uncomfortable about number of external GithubAction dependencies we are including in our CI.

Copy link
Collaborator

@paulgoleary paulgoleary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@0xaatif 0xaatif merged commit 2b6abb5 into develop Oct 31, 2024
21 checks passed
@0xaatif 0xaatif deleted the 0xaatif/outdated branch October 31, 2024 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

6 participants