[PF-2987] Add dependabot for 3rd party library upgrades, remove lockfiles and spotbugs #115
Conversation
cahrens
requested review from
a team,
nmalfroy and
jsotobroad
and removed request for
a team
| @@ -1,140 +0,0 @@ | |||
| # This is a Gradle generated file for dependency locking. | |||
There was a problem hiding this comment.
not that I"m complaining but why the removal of hte .lockfiles?
There was a problem hiding this comment.
We've been removing lockfiles in all of our repos to make dependency upgrades easier.
| timezone: "America/New_York" | ||
| target-branch: "develop" | ||
| reviewers: | ||
| - "@DataBiosphere/platform-foundation-codeowners" |
There was a problem hiding this comment.
just double checking that these reviewers are the group we want for this (out of ignorance on my part 😬)
There was a problem hiding this comment.
Yes, we talked about this today at the "round table" meeting. It might not be the perfect group for reviews, but we don't wish to maintain a second group.
cahrens
changed the title
|
I don't understand why this isn't kicking off any tests (given the source code changes). |
|
It looks like tests are not triggered on commits. I am putting this PR into draft until we get unit tests running. |
| import org.apache.commons.lang3.ClassUtils; | ||
| import org.apache.commons.lang3.StringUtils; | ||
| import org.apache.commons.lang3.tuple.ImmutablePair; | ||
| import org.apache.commons.lang3.tuple.Pair; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
| import org.springframework.lang.Nullable; |
There was a problem hiding this comment.
javax.annotation.Nullable was coming from spotbugs (https://www.javadoc.io/doc/com.google.code.findbugs/jsr305/latest/javax/annotation/Nullable.html).
There seem to be lots of options for @nullable, so I went with a package that was already available with our current dependencies. We do use this package in some of our other repos. https://github.com/search?q=org%3ADataBiosphere%20org.springframework.lang.Nullable&type=code
There was a problem hiding this comment.
I think a better fix would be to use jakarta.annotation.Nullable, as it doesn't require a framework dependency.
There was a problem hiding this comment.
It didn't seem that was available with our current dependencies/framework, but perhaps IntelliJ was lying to me?
There was a problem hiding this comment.
Yes, it might need an additional dependency like https://mvnrepository.com/artifact/jakarta.annotation/jakarta.annotation-api
There was a problem hiding this comment.
Right, I started looking into adding that, but then punted since we use org.springframework.lang.Nullable in some of our other repos.
This, @jsotobroad . I agree that I could pull out the spotbugs removal, but first I'm going to reach out to infosec folks and see if we can just get sonarqube running on this repo. |
@jsotobroad , @TomConner is OK with us going ahead and removing spotbugs. So this PR is now ready for review. https://broadinstitute.slack.com/archives/CADU7L0SZ/p1709132894654009 |
|
| @@ -50,7 +48,7 @@ jobs: | |||
| cache: 'gradle' | |||
| - name: Run tests | |||
| run: ./gradlew test | |||
|
|
|||
| # TODO: Work with AppSec to get Sonar scans setup for this repo | |||
Same configuration as in terra-common-library.
Also removes lockfiles and spotbugs, similar to what we have done in our other libraries (for example, DataBiosphere/terra-common-lib#148 and DataBiosphere/terra-common-lib#147).