[pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

[pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
6+ messages / 3 participants
[nested] [flat]

* [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-25 10:40 "vlsi (@vlsi)" <[email protected]>
  0 siblings, 0 replies; 6+ messages in thread

From: vlsi (@vlsi) @ 2026-05-25 10:40 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

We have quite a few dependencies, and I believe we can enable automatic merge for certain dependencies provided the tests pass.

For example: `actions/*`, `github/*`. We trust GitHub anyways, so there's nothing to review in `actions/*` changes. Even though the updates are not frequent, even "click-approve" for `actions/checkout` steals maintainers' time.

I have not explored the full list of "trusted dependency vendors", however, even `actions/*` and `github/*` would be helpful.

For GitHub-provided actions, we could even group the updates so Renovate creates a single PR instead of creating separate PRs for `actions/cache` and `actions/setup-java`.

Any thoughts?

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-26 14:45 ` "sehrope (@sehrope)" <[email protected]>
  4 siblings, 0 replies; 6+ messages in thread

From: sehrope (@sehrope) @ 2026-05-26 14:45 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

I don't want anything automatically being merged. There should always be a manual review step. It's fine to group think together to minimize PR spam and consolidate the updates, but there should always be an actual review in the path. 

If the number of updates is too many to keep up with, maybe we simplify the repo itself. For example in the past 24-hours you have 20+ PRs to update various gradle plugins. And I have no clue what changed in any of them.

A lot of these we don't even need to update. Staying up to date with things is helpful when finally migrating to a new version. But there's no reason we need to be on the bleeding edge for any of these. It's just busy work to keep updating them. If they were working fine and there's no inherent security issue, what did we even gain from updating them so frequently?

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-26 14:47 ` "sehrope (@sehrope)" <[email protected]>
  4 siblings, 0 replies; 6+ messages in thread

From: sehrope (@sehrope) @ 2026-05-26 14:47 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

For example: https://github.com/pgjdbc/pgjdbc/pull/4107

What changed in these plugin versions and why do we care about bumping to the latest?

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-26 14:55 ` "vlsi (@vlsi)" <[email protected]>
  4 siblings, 0 replies; 6+ messages in thread

From: vlsi (@vlsi) @ 2026-05-26 14:55 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

For example, https://github.com/vlsi/vlsi-release-plugins/pull/145 was fixed in 3.0.0
Previously, build failure could be printed several times (each subproject printed the same failure exception rather than printing at the end of the build only).

I agree it would be worth to reduce dependencies, however, we can't really avoid `actions/checkout`, and `actions/setup-java`.
What are the concrete review steps you expect to have when updating those?

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-26 15:25 ` "davecramer (@davecramer)" <[email protected]>
  4 siblings, 0 replies; 6+ messages in thread

From: davecramer (@davecramer) @ 2026-05-26 15:25 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

It seems to me that if the number of reviews are so numerous that we now
want to automate this, then perhaps we have too many dependencies.


Dave Cramer


On Tue, 26 May 2026 at 10:55, Vladimir Sitnikov ***@***.***>
wrote:

> *vlsi* left a comment (pgjdbc/pgjdbc#4099)
> <https://github.com/pgjdbc/pgjdbc/issues/4099#issuecomment-4545301107;
>
> For example, vlsi/vlsi-release-plugins#145
> <https://github.com/vlsi/vlsi-release-plugins/pull/145; was fixed in 3.0.0
> Previously, build failure could be printed several times (each subproject
> printed the same failure exception rather than printing at the end of the
> build only).
>
> I agree it would be worth to reduce dependencies, however, we can't really
> avoid actions/checkout, and actions/setup-java.
> What are the concrete review steps you expect to have when updating those?
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/pgjdbc/pgjdbc/issues/4099?email_source=notifications&email_token=AADDH5W4GG35...;,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AADDH5U2VRY5GDZPF6JNVYD44WV6FAVCNFSM6AAAAACZMCESRK...;
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>


^ permalink  raw  reply  [nested|flat] 6+ messages in thread

* Re: [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`,
@ 2026-05-26 15:47 ` "vlsi (@vlsi)" <[email protected]>
  4 siblings, 0 replies; 6+ messages in thread

From: vlsi (@vlsi) @ 2026-05-26 15:47 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

Dave, would you please clarify the way to drop `actions/checkout`, `actions/setup-java`, `actions/upload-artifact`, `actions/github-script`, `actions/deploy-pages`, `actions/configure-pages`, `github/codeql-action/init`, `github/codeql-action/analyze`, `github/codeql-action/upload-sarif` dependencies?

The are test-only dependencies which we need to update sooner or later as well. I do not think we can remove a lot of dependencies.

^ permalink  raw  reply  [nested|flat] 6+ messages in thread

end of thread, other threads:[~2026-05-26 15:47 UTC | newest]

Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-05-25 10:40 [pgjdbc/pgjdbc] issue #4099: Configuration suggestion: automerge for `actions/*`, `github/*`, `org.ow2.asm`, "vlsi (@vlsi)" <[email protected]>
2026-05-26 14:45 ` "sehrope (@sehrope)" <[email protected]>
2026-05-26 14:47 ` "sehrope (@sehrope)" <[email protected]>
2026-05-26 14:55 ` "vlsi (@vlsi)" <[email protected]>
2026-05-26 15:25 ` "davecramer (@davecramer)" <[email protected]>
2026-05-26 15:47 ` "vlsi (@vlsi)" <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox