I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing:
I want to create workflow that:
runs dependabot scan on each developer pull request
dependabot only reports on newly introduced or updated
dependencies
pull request is blocked by any new dependencies with
vulnerabilities of medium or higher
dependabot does not create PR as a result of a PR scan
Is this possible?
This is possible with the dependency review action: https://github.com/actions/dependency-review-action
Seems the answer is no, dependabot cannot do this.
A colleague found this information:
"Dependabot alerts will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date."
At this location:
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
And github has, on their roadmap, the ability to block pull requests that introduce vulnerable dependencies:
https://github.com/github/roadmap/issues/149
Is it a good policy to automate source control commits following successful builds?
Edit: I'm asking because I want more frequent, incremental commits between versions that make it easier to find the point where a bug was introduced than rolling back 2K+ new lines of code between v1.0 and v1.1.
No. A successful build does not imply a successful code change. Do you never test your code? IF you had some sort of automated unit testing, I could understand the question (although I would still recommend against it - I would not consider a code change tested until you verified its functionality yourself). But an automated commit after a successful build - not if you like your team mates, or if they have access to weapons.
No. Where would the meaningful commit messages come from? And the references to issue tracker items? How is the automated process supposed to know that a particular bit of work is complete?
With such a process in place, your repository would degrade to a glorified IDE undo buffer.
Later this year I want to release a PHP framework that I've been working on as open source. I do use source control (SVN), but it's on an extremely limited basis. I'm self-taught, I develop by myself and don't have the experience of working with large teams. I have some ideas about what can help make a project successful, but I'm fuzzy on some of the details. Since it's not yet released, I want to do everything I can to set up the right infrastructure from the beginning. What do I need to know in order to setup and manage a successful project?
Some ideas that I have to make it successful (beyond marketing it):
Good documentation and tutorials
Automated unit tests and builds to
push update to the website
A clear roadmap
Bug Tracking integrated with the
source control
A style guide to keep the code
consistent
A forum for the community to get
support, share ideas, etc.
A good example application built with
the framework
A blog to keep the community informed
Maintaining backwards compatibility
wherever possible
Some of my questions:
How do I setup and automate a one
step submit-test-commit-generate API
docs-push update to website process? Edit: Would Ant or Maven be good candidates for this? If so, do you know of any resources for setting up a PHP project using them?
How do I handle (technically)
submissions from other users? How can
I ensure that those submissions must
be approved before being integrated?
What are some of the pitfalls that
can be avoided in terms of the
project community? I'd prefer to have
it be as friendly and helpful as
possible without a lot of drama.
I'd love to learn from your experience on any of these points. If you think I'm missing anything big, please share that as well. Any resources (preferably geared toward a beginner) that you could point me towards would also be greatly appreciated.
I'm just getting started in community projects, but I'll give you some advice on what I know.
How do I setup and automate a one step submit-test-commit-generate API docs-push update to website process?
I've never implemented it as one process. You could just have a checklist, and possibly even create some scripts to do certain tasks. I've never worked with any source control that automates the uploading and such to be done by a script. Most of the time, there is some web interaction to be involved.
You don't want to push API changes until it's an official release.
EDIT: Working Environment
For PHP, most of the time, I either edit directly on the server and test it there, using a beta.example.com, or similar, before pushing to example.com. You could also set up an web environment on your home PC (using XAMPP for Windows, or the standard LAMP installation on Linux). You would probably just use a mirror of your repository here, so you'd do svn commit, or whichever is appropriate for the VCS or DVCS you choose.
The fun part is testing this with different PHP versions. I've not done this myself, but you could probably use a .htaccess file to run a different PHP binary in order to test it out. I'm not really sure what the best option is for this is.
I've not done much with API, as I've never created a library, but just doing a quick search I found http://www.phpdoc.org/. It looks like a mature project, so that might be a starting point.
As far as creating releases go, I generally create a script that only includes the files that are part of the distribution (it will filter out any VCS files, and anything that you don't want in the distributed file). You could write a script around find on linux (which is what I do most of the time), or there may be other better options.
How do I handle (technically) submissions from other users? How can I ensure that those submissions must be approved before being integrated?
This is mostly handled by the bug tracker, and limited access in the Version Control System. Usually, you, and the people you allow, can commit to the VCS. Other users can submit patches, but then you might have someone review the patch, test the patch, and commit. You could split these tasks up as a team, or assign a patch to one person and have them do it all.
What are some of the pitfalls that can be avoided in terms of the project community? I'd prefer to have it be as friendly and helpful as possible without a lot of drama.
I would just make sure to keep it as positive as possible with the project members and community. There's going to be some disagreements, and it will drive a few people away, but as long as you have a stable product that meets the needs of most people, I think that's all that anyone can expect.
One minor suggestion that's worked well for me: start using first-person plural pronouns, rather than singular ones. That is, talk about "we" and "us" rather than "I" and "me." It encourages other people to participate when they feel like part of team, rather than when they feel like they're contributing your own self-aggrandizement.
The most important thing you have to do is to attract users. Without users, you won't get any contributions and developers helping you out. Because developers are users first, and then they decide to extend/fix something they use and might become contributors.
So to get users, you should consider
describe what your framework does in one or two sentences at the top of your project page
mention how your framework can be used and for what, what situations it is most useful for
add a lot of examples on how to use it
mention whether your framework is stable, beta or alpha. That's important because user need to know that before they start using it
also mention whether you want to keep improving it and keep working on it - most users don't want to use a framework that's abandoned (also keep in mind that a lot of users check your commits to see whether you really are working on it - if your last commit to the repository was months ago then you're not really working on it, so cheating isn't possible)
If you got all this, and people start submitting patches, you can use a patch tool to apply those to your source. Depending on your version control system, you can either use the GNU patch, a diff/patch tool that comes with your version control or maybe even a GUI tool that helps you with this. SVN doesn't have a patch tool (yet), but 'svn diff' will create a patchfile which you can then apply with the GNU patch tool, or in case you're using TortoiseSVN, right-drag the patchfile to your working copy and have TortoiseMerge apply it for you.
And on how to best deal with the community:
answer questions in time, don't wait more than two or three days to answer questions
try to be nice, even with upset and angry people. Only if they keep bothering tell them to (still in a nice way if possible) go elsewhere
always keep discussions about the project on a mailing list. You don't want to repeat the same discussions over and over again - if you have a mailing list, just point users to the archives before the discussion starts all over again
And you should watch the talk "How Open Source Projects Survive Poisonous People (And You Can Too)" - it's really good and tells you a lot on how to deal not just with 'poisonous people' but also how to deal with all people involved in your project.
I'd like to add that you should make it as easy as possible for your users to get the whole thing running and modify the code - these 'power users' can be 'converted' into developers or at least people who send smaller patches.
Don't try to do it all yourself - for open source projects there are several hosting providers that solve most of the problems. I recommend codeplex or google code.
Setting up build scripts will depend a certain amount on what platform you set up, but in general it's easy to add any tool you want into the script once you start using any sort of build script.
If you really need the one step process you describe, you need a build server. I use TeamCity, which I have set up to watch for any changes in svn and trigger build/test whenever something is checked in. The build server will generally be able to perform any steps that you put into the build script.
Read up on Git as an alternative to SVN
free public repository/bug tracker/wiki/fork-enabled community in Github (which hosts symfony and PHPUnit amongst others)
"How do I handle (technically) submissions from other users? How can I ensure that those submissions must be approved before being integrated?" - with Git, pull what you/your closest team finds most interesting to the master branch
Consistent API
be inspired of other public API:s
only change in major versions
guessable
Interesting for both users & developers
clear goal (your roadmap - excellent)
useful, contra everything else available
easy to use, but still not easy-enough-to-write/maintain-yourself
You could check out either Ant or Phing to build your project. Include CodeSniffer in the build and you'll save time checking for basic formatting errors/differences.
These are all technical tips, about the soft part... treat humans with respect, a lot of interest and be overly excited about their contributions and make them feel that they're not wasting their time. That would appeal to me.
Take a look at Karl Fogel's book on Producing Open Source Software. It probably has everything that you asked.
You should also plan for engaging the community. I'd recommend reading Jono Bacon's The Art of Community [http://www.artofcommunityonline.org/].
You have a great set of ideas to start. You might have to start by trimming them down! Ask yourself what's necessary for a first release.
For automating the builds and tests, the scripting can be done with ant, maven or phing for PHP projects.
You'll probably need a host so you can demo the product. For PHP that is pretty easy to find.
You need an open source hosting provider-- especially github (but also google code, source forge, etc). Github provides bug tracking, default licenses, blog and great mechanisms for accepting changes from the community. Built on git, it facilitates distributed projects quite well.
Although it's good to have a one-step build and install in place, automating integration of others changes probably isn't important (or desirable) off the bat.
Good luck!
Does Mercurial offer any type of extensions that offer functionality similar to TFS's work items that when you check in changes that you can associate them to features/defects?
If there isn't much (or any) support for this, how do you handle ALM using Mercurial?
What you may be looking for is called a distributed bugtracker. There is a number of those available on top of that or another dvcs.
I've come across a couple of links:
Bugs Everywhere
DisTract
Distributed bug tracking
there is the Bugzilla extension but this isn't quite what you want out of the box i think? it may be a good starting point though if you want to write your own extension/hooks to do exactly what you want
if you want to pay money cash then there is fogbugz and kiln
I think that your best shot here is so far to add it yourself by using the hooks feature in Mercurial.
I've been looking at this for our in-house installation of TargetProcess. You can find more at this post which I've found in my own search for this: http://mattadamson.blogspot.com/2009/11/building-mercurial-external-hook-to.html
This should be feasible as long as your system for handling features/defects offer an API for manipulating its data.
You can check it out from this wikipedia, and go to "Revision Control System Integration" section which is at the end of the wiki.
I think your question should be what issue tracking systems can integrate with mercurial, not the way around since mercurial is just a source control system. Famous free issue tracking system like BugTracker.NET, Bugzilla, Redmine, Trac are all supporting mercurial integration, which means you can integrate your mercurial repository with them to keep track of your changes etc.
I stumbled upon this project : http://hgtfshook.codeplex.com/documentation
Am about to try it myself.
You can try the Artemis extension which is a lightweight issue tracking that handles each issue as an email thread, storing them in the same repository. It's easy to install, just download it and add one line to your .hgrc file. To add or modify an issue, just type hg iadd. I personally found it easy and simple to use. It's missing a web interface, though.
Does anyone have a nice example of integration between HelpSpot and Fogbugz?
We're using HelpSpot as our customer facing software and ticket management, and then if a developer needs to work on a ticket the data will be pushed to Fogbugz.
Obviously we can use the Fogbugz push API that Userscape provides, but this only allows you to specify the title of the incident in Fogbugz. Ideally I want to share title, assigned to, category and status in a two-way integration.
Do most people just use emails between the two programs, or has anyone come across a nice third party app?
Thanks in advance!
I think you might get better help with this on the dedicated FogBugz StackExchange website.
The FogBugz API example in the HelpSpot docs can be modified to do what you want. What you can do is specify you're own format for the push box text. So have staff put the category on line one, a note on line 2, etc and then parse it in the FB push file and set it as needed.
For the HelpSpot --> FogBugz way: as far as I can see, the provided FogBugz push implementation is only an example which you can extend and customize to your needs.
If you look at the push function in RequestPush-FogBugz.php there are the parameters sending to FogBugz. You can set additional data in here (request attributes are specified in the HelpSpot documentation and FogBugz fields are specified in the FogBugz API documentation).
Of course you have to provide the mapping between users and other metadata (or e.g. use the exactly same usernames in FogBugz and HelpSpot).