-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: warn on outdated top level dependencies #757
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very inventive solution to to cargo outdated
problem.
Not sure if we care about every bug fix version change of every dependency, is it too aggressive to warn about that as outdated dependency? |
It's a fair concern. I think we do care about patch version bumps because they could be security fixes (depending on the package policy) |
runs-on: ubuntu-latest | ||
timeout-minutes: 5 | ||
steps: | ||
- uses: actions/checkout@v3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: you could probably use @v4
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's update all of these at once: #759
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: ./.github/actions/rust | ||
- uses: taiki-e/install-action@v2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I am starting to feel just slightly uncomfortable about number of external GithubAction dependencies we are including in our CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Part of #746
Need to transform
cargo-outdated
's output to github's warning format.Didn't fancy coming up with some jq to do it - let's use a real programming language :)
This isn't strictly "secure", as we only lint dependencies we ourselves specify in
Cargo.toml
, not our transitive deps.But that's a huge list and we should sort that later.
We should probably move our other monster bash scripts to rust anyway.
Works a treat: