add upgrade gcp bom workflow#38711
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a new utility script designed to automate the monitoring of Google Cloud Platform libraries BOM versions. By comparing the latest available version from Maven Central against the version currently defined in the project's Gradle configuration, the script provides a mechanism to trigger alerts or workflows when an upgrade is required. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces a new Python script, gcp_bom_upgrade_check.py, designed to compare the latest Google Cloud Platform libraries BOM version from Maven Central with the version currently defined in the project's Gradle build configuration. The review comments point out several opportunities to improve the script's robustness: adding a timeout to the network request to prevent hanging, resolving the file path dynamically to allow execution from directories other than the repository root, and parsing version strings more defensively to handle non-integer suffixes safely.
|
assign set of reviewers |
|
Assigning reviewers: R: @Abacn for label build. Note: If you would like to opt out of this review, comment Available commands:
The PR bot will only process comments in the main thread (not review comments). |
|
Reminder, please take a look at this pr: @Abacn |
|
This is currently handled by release manager as a post-release task Based on my experience there is a half-half probability the tool needs modification each time it's invoked therefore I personally thought maintain an automated workflow might not worth it |
It reduces the toil of running the tool and creating a PR etc. If all tests pass great, but if something doesn't work, then modifications should be minor but the user doesn't need to run the tool etc. The tool itself needs modification? Thoughts? Thanks. |
maintainer need to go to workflow page, check log to get information. I feel it's same or mouse click than click https://mvnrepository.com/artifact/com.google.cloud/libraries-bom manually sorry, I see there are following steps in github action yaml |
|
Reminder, please take a look at this pr: @Abacn |
damccorm
left a comment
There was a problem hiding this comment.
What are next steps here @Abacn @derrickaw ?
|
|
||
| should_upgrade = to_tuple(latest) > to_tuple(current) | ||
|
|
||
| github_output = os.getenv('GITHUB_OUTPUT') |
There was a problem hiding this comment.
Rather than being an output, should this just run as part of the main bomupgrader script (optionally)?
|
Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment R: @damccorm for label build. Available commands:
|
|
waiting on author |
|
|
||
| on: | ||
| schedule: | ||
| - cron: "0 0 * * 0" # Weekly on Sundays at 00:00 UTC |
There was a problem hiding this comment.
Today we only update this right after releases - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-the-java-bom - this is somewhat intentional since BOM upgrades tend to be:
- Higher risk
- Lower urgency (rarely are features blocked on this)
I think we probably want to keep this behavior.
We could probably do something like what we do for Python dependencies - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-python-dependencies
At that point, we'd need to:
- Add logic like to this file
- Update the release guide to have instructions similar to https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-python-dependencies
There was a problem hiding this comment.
Today we only update this right after releases - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-the-java-bom - this is somewhat intentional since BOM upgrades tend to be:
- Higher risk
- Lower urgency (rarely are features blocked on this)
I think we probably want to keep this behavior.
I knew about the timing, but if I understand the flow of things some package versions that have vulnerabilities are dependent on this BOM being updated. So the main drivers for this workflow are consistently having a weekly upgrade to minimize vulnerabilities, having a process in place so that we don't forget to do the upgrade, and having a workflow if we wanted to at any given point in time just run it and have a new PR ready to go without having to do anything locally.
I will go in the direction you suggest below, but I think in the future we should consider completing this upgrade more often.
We could probably do something like what we do for Python dependencies - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-python-dependencies
At that point, we'd need to:
- Add logic like
to this file- Update the release guide to have instructions similar to https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-python-dependencies
Ok, updated. Thanks.
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, commentfixes #<ISSUE NUMBER>instead.CHANGES.mdwith noteworthy changes.See the Contributor Guide for more tips on how to make review process smoother.
To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.