Shields: Greenkeeper does not update package-lock.json

greenkeeper-lockfile is supposed to handle this, though I guess it's not working correctly.

Shouldn't you bring that up at https://github.com/greenkeeperio/greenkeeper instead @platan?

Either greenkeeper (greenkeeper-lockfile) does not work or we are using it incorrectly (bad configuration). Greenkeeper was introduced when we were using Travis CI. Now we have Circle CI.

Just noticed this is on file upstream: greenkeeperio/greenkeeper-lockfile#58

I think we can close this issue. Greenkeeper updated package-log.json in the latest PRs, e.g. https://github.com/badges/shields/pull/1716

no - this is still an issue. I updated the lockfile locally on those PRs and pushed the extra commits to the greenkeeper branches

@chris48s oh, my bad, I overlooked your commit. Thank you!

This is super frustrating! Given @jasonLaster's solution in https://github.com/greenkeeperio/greenkeeper-lockfile/compare/master...jasonLaster:master (see greenkeeperio/greenkeeper-lockfile#58) I'm not sure why the fix from #1562 did not solve the problem.

@chris48s How much work do you want to put into fixing this? Shall we go ahead and fork greenkeeper-lockfile in the badges org, build and test a workable solution, and try to get it merged upstream?

Its one of those paper cut bugs, isn't it.
If you're enthusiastic about shaving this particular yak, go for it. Manually updating the package-lock as part of the review isn't the end of the world.. At least it means we know someone had to install the package locally before clicking the 'approve' button ;)

Yea, it's irritating without having an easy fix.

Honestly I'm not so enthused. Though maybe there's a workaround? This is a CircleCI issue. Weren't we talking about adding Travis for code coverage reasons? Maybe we should add Travis for Greenkeeper, as silly as that might sound…

Another option might be to switch out greenkeeper for something else that does roughly the same job like dependabot and see if that is more compatible with Circle CI?

Yea, a good idea. Either of those sounds fine to me.

Been having some great luck with Dependabot lately.

Been having some great luck with Dependabot lately.

Agreed. I've tried out dependabot on a couple of other projects and I'm fairly convinced that dropping greenkeeper for dependabot is a good call here. It deals with updating your package-lock outside of CI so should abstract this whole issue. It also auto-resolves merge conflicts on the lock file (or attempts to) and some other nice stuff.

Switching to dependabot will probably result in more noise/review overhead as it will submit a PR for every patch version (although we can configure particular packages to auto-merge if the tests pass - this might be a useful option for some stuff like testing-related dev tooling), however I think this approach is more correct for projects like this that use a lockfile. Greenkeeper is more targetted to libraries.

In terms of getting it done, I'm happy to submit a PR to remove the greenkeeper-lockfile stuff from the CI build, but if I log into greenkeeper or dependabot, I don't think I can add or remove either of them because I'm a repo collaborator not an organisation member so someone else probably needs to do that bit.

I don't have enough access on the org to install Dependabot, which I think requires owner permission on the org. I can't make you a member, either, for the same reason. Though it looks like, as an admin on the repo, I can remove Greenkeeper.

I've emailed @espadrine asking him for access.

Huh, that's not normal. I thought you had the same access I have.

In https://github.com/orgs/badges/teams/shields/members (a team with the highest rights, Admin), I see both of us labeled "maintainer".

Do you have an error message that could help me give you the same access?

Can you try again? I made you owner of https://github.com/orgs/badges/people. I don't know if it should change anything; I thought GitHub switched to team-based access management to make that irrelevant. GitHub rights confuse me!

It worked! Thank you!

Okay, so Dependabot is turned on and Greenkeeper is turned off. I've also updated your access to the organization @platan @PyvesB @RedSparr0w @chris48s.

We'll probably have some cleanup to do, though let's close this issue out since it is now fixed.

Yep - that seems to have done the job :) Now that we've enabled dependabot, it will submit PRs bumping out dependencies to the latest release (capped to a max of 5 per day), so there will be some overhead of reviewing dependency bump PRs until everything is pinned to the latest version. It is updating the lockfile though.