Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standardize docs repos further #8

Open
eloquence opened this issue Jun 5, 2023 · 6 comments
Open

Standardize docs repos further #8

eloquence opened this issue Jun 5, 2023 · 6 comments

Comments

@eloquence
Copy link
Member

Rather than having the Dependabot mechanics replicated x number of docs repos, could we treat one as the template repo, and apply lock file updates to all the others?
@legoktm
Copy link
Member

legoktm commented Jun 6, 2023

Hmm, are you thinking like whenever Poetry.lock is modified in securedrop-dev-docs, it's manually or automatically copied to the other docs repos?

@eloquence
Copy link
Member Author

Yep exactly.

@legoktm
Copy link
Member

legoktm commented Jun 26, 2023

Here's what I'm imagining right now: we keep dependabot enabled on all repos, but only review+merge on -dev-docs, then after 2-3 days, some automation cherry-picks from -dev-docs to other docs repos so you still get commit history but review it all at once (and for review, you should be able to just diff it against -dev-docs). And dependabot-on-other-docs repos can be used for ASAP security fixes, otherwise it should automatically close once the update is applied through our automation.

@eloquence
Copy link
Member Author

That feels fairly similar to current state, now that we're up-to-date across the board. Currently I can treat one repo's PRs as "review PRs", and then rubber-stamp the other repos' identical PRs if they do indeed match.

If we don't want to trust any fully automated process to push the lockfile to target repos, one other way I could see to get additional time savings would be to rearchitect the docs repos as submodules, or use some other strategy to only have a single copy of the lockfile.

@legoktm
Copy link
Member

legoktm commented Jun 29, 2023
edited
Loading

If we don't want to trust any fully automated process to push the lockfile to target repos

Hmm. I think we could have some automated cross-checking of hashes across repositories, let me think about it a bit more.

On a slightly different tangent...is there a reason we're using sphinx-from-pypi in the first place? Versus using Debian packages (and use containers for local development)? bookworm ships with sphinx 5.3 but I didn't think there were any 6.0 features we were looking to use / depend on. We'd lose the update churn entirely while still getting security updates at the cost of not getting new features on a regular basis.

@eloquence
Copy link
Member Author

While I like the speed of the container-free local dev environment, I could certainly live with switching to a fully container-based approach and using system packages. Worth kicking around a bit at the team level I think.

If we stay with the current approach, it'd be nice to reduce/eliminate the amount of manual hash checking for every Dependabot alert across each of the repos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@legoktm @eloquence