Update Notify package management #658
Comments
yaelberger-commits
changed the title
|
Hey team! Please add your planning poker estimate with ZenHub @andrewleith @iokpala @jimleroyer @jzbahrai @sastels |
yaelberger-commits
changed the title
jimleroyer
changed the title
jimleroyer
changed the title
|
@sastels and @andrewleith Are you OK if we move forward without an ADR and implement the suggestions listed in the acceptance criteria? |
|
Sounds reasonable, especially if GDS has had success. If it ends up not working then we can explore alternative approaches through an ADR. |
|
I agree! |
jimleroyer
changed the title
|
Sounds good then! @sastels and @andrewleith , if you can estimate on the issue then as-is, not for the ADR but the actual changes, it would be much appreciated. 🙏 |
yaelberger-commits
added
High Priority | Haute priorité
Tech Debt
yaelberger-commits
added
the
Refined l Affiné
|
please also see link in description to CDS documentation for patch management |
|
If you want to see the new patch management setup in action take a look at cds-snc/scan-websites#322. This is a dashboard that the new tool "renovate" will maintain to help you keep track of what needs to be patched. How to add it to you repo (my team can help):
Here’s the spot in the GitHub app that you add repos: |
jimleroyer
changed the title
|
Just a note that we are meeting with SRE this week re:renovate which will hopefully take care of at least a portion of this work. |
|
I did some research on Renovate's support for transitive dependency trace comments and it doesn't provide this. However, it is able to consume a pip-compile {
"pip-compile": {
"fileMatch": ["(^|/)requirements\\.in$"]
}
} |
|
Some overlap with Renovate dependency tracker |
yaelberger-commits
added
Medium Priority | Priorité moyenne
and removed
High Priority | Haute priorité
labels
|
I threw together a quick doc on Pip-tools vs Poetry based on my findings thus far. |
|
Could also look into Renovate as well |
|
Regarding the question: Renovate has little to no overlap with package managers. It provides DevOps oriented tooling, that notifies us via PR's with suggested version updates for dependencies. Renovate does this by reading package files generated by package managers like All this to say: Renovate cannot do what tools like pip or Poetry do for us and depends on the usage of a package manager in a project to fulfill its function. We can use these tools in conjunction with one another but neither is a replacement for the other. |
|
Small draft PR with Poetry for anyone who wants to play around with it |
|
Updated the Pip-tools vs Poetry doc with some comparisons between migrating projects to both Pip-tools and Poetry. Added a short blurb on the level of risk associated with migrating to each tool. |
|
Will working today, doing some work on github actions workflows from pip to poetry. Start migrating other projects over to Poetry as well |
|
|
|
Document download API PR is ready to go |
|
|
Document download API successfully deployed, running with Poetry |
|
@whabanks could you add an update to this card? |
|
Yesterday successfully deployed Admin changes to staging. Hoping to get the notification-api changes deployed today. |
|
API ready for another test deployment to staging. Pat identified a compatibility issue with Renovate causing errors. Will troubleshooting that today. |
|
Moving to blocked: |
|
Issues with the lambda API image, looks like we may need to self-host renovate to make it work with Poetry. |
|
lambda api issues fixed, poetry PR merged to staging and tested. |
|
Relevant Slack thread for current state |
|
|
The problem is that the I chatted with @whabanks and I'm going to submit a Renovate config change to ignore Ideally there will be an upstream fix to Poetry that allows it to fail gracefully on conflicts. |
|
After having Until Poetry resolves the bug, we'll have to periodically check that Renovate is completing since unfortunately the |
|
Great news! Will other package bumps that both admin and utils depend on lead to this situation? There are several that the two projects have that need to stay in sync when doing dep bumps. |
|
Yup, it's possible that we'll hit this problem with other products if you're using Poetry to manage the dependencies. |
Description
We can backport some changes from GDS and their improved way of doing package management.
CDS documentation on patch management: https://github.com/cds-snc/platform-sre-security-support/wiki/Patch-management
Please look at this thread for discussion:
https://gcdigital.slack.com/archives/CV38DBNVA/p1652794882038499
GDS has introduced some improvements by using pip-tools and pyup that we can also replicate. These would allow for transitive dependencies traces.
There is also poetry which could an option instead of pip-tools / pyup. To evaluate and consider.
Acceptance Criteria
Explore in the ADR the following items:
requirements-app.txt/make freeze-requirementsapproach.QA
Additional Context
The current Notify setup makes use of a Make target named
freeze-requirements. This is an in-house GDS target to resolve transitive dependencies based on an intake and desired list of dependencies. The intake currently sits asrequirements-app.txtfile while the resolved dependencies will get resolved as therequirements.txtfile, sitting at the root of the project.With the new changes in, the dependency intake would actually be in a pyproject.toml file instead and the resolved dependencies are stored in the poetry.lock file.
The pyup tool most likely would not be adopted as we have similar tooling (Renovate) that detects vulnerabilities and automatically opens PRs with potential fixes and Renovate natively supports Poetry. We might want to check if that offers anything new... but also, this might conflict with new solutions being brought in by the SRE team (ask @mohamed-cds ).
The Poetry tool seems quite mature and we instill best practices.
The text was updated successfully, but these errors were encountered: