Use Dependabot for cn-infra

[mestery]

We recently moved to using Dependabot [1] for Network Service Mesh, and it's pretty slick. I think using it for cn-infra (and vpp-agent, sfc-controller, etc.) makes a lot of sense. It's easy to add, keeps your dependencies up to date, and is a smooth workflow.

[1] https://dependabot.com/

[ondrej-fabry]

Dependabot doesn’t yet support vendoring for Go dependencies so if you commit a vendor folder Dependabot won’t update it for you.

https://dependabot.com/blog/go-support

Not feasible for us at the moment, we commit vendor folder with dependencies.

Hopefull they add support soon, seems like useful project.

[mestery]

Thanks for pointing this out, and it makes sense after seeing the @dependabot pushes to the Network Service Mesh repository. However, one thing you can do in the meantime is let Dependabot handle pushing the Gopkg.[lock,toml] updates, and then pulling that down and running dep ensure -update and pushing back to the @dependabot PR. It's a workaround until they implement full vendoring support, and is how we're doing this for NSM.

[ondrej-fabry]

This sounds plausible if it were run in some script via Travis so it would do this work for open PRs by Dependabot.

Are you sure you are actively doing that for networkservicemesh?

Running dep check for the latest networkservicemehs returns this:

# Gopkg.lock is out of sync:
github.com/golang/protobuf/proto: imported or required, but missing from Gopkg.lock's input-imports
github.com/golang/protobuf/protoc-gen-go: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/config: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/core: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/flavors/local: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/flavors/rpc: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/health/statuscheck: imported or required, but missing from Gopkg.lock's input-imports
github.com/ligato/cn-infra/logging: imported or required, but missing from Gopkg.lock's input-imports
golang.org/x/net/context: imported or required, but missing from Gopkg.lock's input-imports
google.golang.org/grpc: imported or required, but missing from Gopkg.lock's input-imports
k8s.io/client-go/kubernetes: imported or required, but missing from Gopkg.lock's input-imports
k8s.io/client-go/rest: imported or required, but missing from Gopkg.lock's input-imports
k8s.io/client-go/tools/clientcmd: imported or required, but missing from Gopkg.lock's input-imports
k8s.io/kubernetes/pkg/kubelet/apis/deviceplugin/v1beta1: imported or required, but missing from Gopkg.lock's input-imports
k8s.io/[email protected]: not allowed by override kubernetes-1.10.2
k8s.io/[email protected]: not allowed by override kubernetes-1.10.2
k8s.io/[email protected]: not allowed by constraint kubernetes-1.10.2
github.com/beorn7/perks: prune options changed ( -> UT)
github.com/beorn7/perks: no hash digest in lock
github.com/ghodss/yaml: prune options changed ( -> UT)
github.com/ghodss/yaml: no hash digest in lock
github.com/gogo/protobuf: prune options changed ( -> UT)
github.com/gogo/protobuf: no hash digest in lock
github.com/golang/glog: prune options changed ( -> UT)
github.com/golang/glog: no hash digest in lock
github.com/golang/protobuf: prune options changed ( -> UT)
github.com/golang/protobuf: no hash digest in lock
github.com/google/gofuzz: prune options changed ( -> UT)
github.com/google/gofuzz: no hash digest in lock
github.com/googleapis/gnostic: prune options changed ( -> UT)
github.com/googleapis/gnostic: no hash digest in lock
github.com/gorilla/context: prune options changed ( -> UT)
github.com/gorilla/context: no hash digest in lock
github.com/gorilla/mux: prune options changed ( -> UT)
github.com/gorilla/mux: no hash digest in lock
github.com/howeyc/gopass: prune options changed ( -> UT)
github.com/howeyc/gopass: no hash digest in lock
github.com/imdario/mergo: prune options changed ( -> UT)
github.com/imdario/mergo: no hash digest in lock
github.com/json-iterator/go: prune options changed ( -> UT)
github.com/json-iterator/go: no hash digest in lock
github.com/ligato/cn-infra: prune options changed ( -> UT)
github.com/ligato/cn-infra: no hash digest in lock
github.com/matttproud/golang_protobuf_extensions: prune options changed ( -> UT)
github.com/matttproud/golang_protobuf_extensions: no hash digest in lock
github.com/modern-go/concurrent: prune options changed ( -> UT)
github.com/modern-go/concurrent: no hash digest in lock
github.com/modern-go/reflect2: prune options changed ( -> UT)
github.com/modern-go/reflect2: no hash digest in lock
github.com/namsral/flag: prune options changed ( -> UT)
github.com/namsral/flag: no hash digest in lock
github.com/prometheus/client_golang: prune options changed ( -> UT)
github.com/prometheus/client_golang: no hash digest in lock
github.com/prometheus/client_model: prune options changed ( -> UT)
github.com/prometheus/client_model: no hash digest in lock
github.com/prometheus/common: prune options changed ( -> UT)
github.com/prometheus/common: no hash digest in lock
github.com/prometheus/procfs: prune options changed ( -> UT)
github.com/prometheus/procfs: no hash digest in lock
github.com/satori/go.uuid: prune options changed ( -> UT)
github.com/satori/go.uuid: no hash digest in lock
github.com/sirupsen/logrus: prune options changed ( -> UT)
github.com/sirupsen/logrus: no hash digest in lock
github.com/spf13/pflag: prune options changed ( -> UT)
github.com/spf13/pflag: no hash digest in lock
github.com/unrolled/render: prune options changed ( -> UT)
github.com/unrolled/render: no hash digest in lock
golang.org/x/crypto: prune options changed ( -> UT)
golang.org/x/crypto: no hash digest in lock
golang.org/x/net: prune options changed ( -> UT)
golang.org/x/net: no hash digest in lock
golang.org/x/sys: prune options changed ( -> UT)
golang.org/x/sys: no hash digest in lock
golang.org/x/text: prune options changed ( -> UT)
golang.org/x/text: no hash digest in lock
golang.org/x/time: prune options changed ( -> UT)
golang.org/x/time: no hash digest in lock
google.golang.org/genproto: prune options changed ( -> UT)
google.golang.org/genproto: no hash digest in lock
google.golang.org/grpc: prune options changed ( -> UT)
google.golang.org/grpc: no hash digest in lock
gopkg.in/inf.v0: prune options changed ( -> UT)
gopkg.in/inf.v0: no hash digest in lock
gopkg.in/yaml.v2: prune options changed ( -> UT)
gopkg.in/yaml.v2: no hash digest in lock
k8s.io/api: prune options changed ( -> UT)
k8s.io/api: no hash digest in lock
k8s.io/apimachinery: prune options changed ( -> UT)
k8s.io/apimachinery: no hash digest in lock
k8s.io/client-go: prune options changed ( -> UT)
k8s.io/client-go: no hash digest in lock
k8s.io/kubernetes: prune options changed ( -> UT)
k8s.io/kubernetes: no hash digest in lock

# vendor is out of sync:
github.com/beorn7/perks: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/ghodss/yaml: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/gogo/protobuf: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/golang/glog: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/golang/protobuf: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/google/gofuzz: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/googleapis/gnostic: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/gorilla/context: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/gorilla/mux: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/howeyc/gopass: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/imdario/mergo: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/json-iterator/go: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/ligato/cn-infra: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/matttproud/golang_protobuf_extensions: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/modern-go/concurrent: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/modern-go/reflect2: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/namsral/flag: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/prometheus/client_golang: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/prometheus/client_model: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/prometheus/common: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/prometheus/procfs: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/satori/go.uuid: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/sirupsen/logrus: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/spf13/pflag: no digest in Gopkg.lock to compare against hash of vendored tree
github.com/unrolled/render: no digest in Gopkg.lock to compare against hash of vendored tree
golang.org/x/crypto: no digest in Gopkg.lock to compare against hash of vendored tree
golang.org/x/net: no digest in Gopkg.lock to compare against hash of vendored tree
golang.org/x/sys: no digest in Gopkg.lock to compare against hash of vendored tree
golang.org/x/text: no digest in Gopkg.lock to compare against hash of vendored tree
golang.org/x/time: no digest in Gopkg.lock to compare against hash of vendored tree
google.golang.org/genproto: no digest in Gopkg.lock to compare against hash of vendored tree
google.golang.org/grpc: no digest in Gopkg.lock to compare against hash of vendored tree
gopkg.in/inf.v0: no digest in Gopkg.lock to compare against hash of vendored tree
gopkg.in/yaml.v2: no digest in Gopkg.lock to compare against hash of vendored tree
k8s.io/api: no digest in Gopkg.lock to compare against hash of vendored tree
k8s.io/apimachinery: no digest in Gopkg.lock to compare against hash of vendored tree
k8s.io/client-go: no digest in Gopkg.lock to compare against hash of vendored tree
k8s.io/kubernetes: no digest in Gopkg.lock to compare against hash of vendored tree                                                                     

We run dep check in Travis and never allow commit that does not have Gopkg.lock in sync with vendor folder because that breaks reproducibility for that commit (without running any extra command like dep ensure).

You currently seem running kind of mix of committing vendor and not committing it, because your Gopkg.lock file is not up to date with vendor folder.

[mestery]

We are not currently doing that as you show, but going forward we are going to do it. And I like the ability to do this from the travis-ci script, let me see if I can make that happen for NSM and port it towards cn-infra as well.

[ondrej-fabry]

This might be useful then: https://github.com/ligato/vpp-agent/blob/pantheon-dev/Makefile#L217-L228

This make target is run for each travis build and contains some useful information for each travis build.

[mestery]

@ondrej-fabry I can't find where you guys are running dep check in travis, can you point me there, I'd like to at least add that into our travis runs as well. Thanks!

[ondrej-fabry]

Here is step for travis: https://github.com/ligato/vpp-agent/blob/pantheon-dev/.travis.yml#L41

Here's the actual make target: https://github.com/ligato/vpp-agent/blob/pantheon-dev/Makefile#L179-L181

[ondrej-fabry]

Ohmy, just realized I'm show vpp-agent, but this issue is for cn-infra. Will fix.

[mestery]

@ondrej-fabry I just pushed a PR adding it. :)