Let dapendabot to auto-update docker for release 3.4&3.5.

[liangyuanpeng]

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

Now we will automatically upgrade the docker image in the main branch, let's treat release-3.4 and release-3.5 similarly

Releated:

• Plan to release etcd 3.4.31 #17609

[k8s-ci-robot]

Hi @liangyuanpeng. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[liangyuanpeng]

/cc @jmhbnz

[jmhbnz]

/ok-to-test

[jmhbnz]

LGTM - Thanks @liangyuanpeng

Based on my understanding of target-branch dependabot will scan main, detect an update is possible, and then raise a pull request against all three branches which seems like a good approach.

If dependabot is scanning main but opening pr against release-3.5 I am not sure how it will figure out that there are actually 4x Dockerfiles in release-3.5 etc to update but lets give it a try and see what happens.

[liangyuanpeng]

If dependabot is scanning main but opening pr against release-3.5 I am not sure how it will figure out that there are actually 4x Dockerfiles in release-3.5 etc to update but lets give it a try and see what happens.

@jmhbnz Thanks for your qulick reply.
I have verifyed in my fork repo and I think i forgot put the test link here, the dependabot will create the PR for release-3.4 and release-3.5,

check:

• build(deps): bump distroless/static-debian11 from 9be3fcc to 7e5c6a2 liangyuanpeng/etcd#17
• build(deps): bump distroless/static-debian11 from 9be3fcc to 7e5c6a2 liangyuanpeng/etcd#16

[jmhbnz]

I have verifyed in my fork repo and I think i forgot put the test link here, the dependabot will create the PR for release-3.4 and release-3.5,

Brilliant, those pr's look perfect, thanks!

[ahrtr]

I am not sure whether or not it's a good practice to always automatically bump to the latest version for the stable releases. Probably not. Usually we only bump dependencies for stable releases when there are any CVEs or critical/major bug fixes. The same for base image?

We can let this PR in, but I think we do need to figure out a best practice to bump the base image for the stable releases.

[jmhbnz]

I am not sure whether or not it's a good practice to always automatically bump to the latest version for the stable releases. Probably not. Usually we only bump dependencies for stable releases when there are any CVEs or critical/major bug fixes. The same for base image?

Good question - Historically we always used latest for image tag which meant our stable releases were always using latest image versions when releases were published. This pull request reduces manual effort for backports to keep using up to date base images, while still retaining reproducible builds via image digests so I think the pr is still a good idea.

[ahrtr]

No strong opinion.

A temporary compromised solution I can think of is to bump the base image version for stable releases monthly instead of weekly, at least we have longer time to verify the base image in workflow before each patch releases.

[liangyuanpeng]

Usually we only bump dependencies for stable releases when there are any CVEs or critical/major bug fixes. The same for base image?

Make sense, this PR #17600 have not any CVE problem in the base image.
If there is no CVE problem in the base image, then whether to upgrade the base image of the release branch depends on the release team. If the answer is no, then you only need to close the PR of dapadanbot is enough.

stable releases monthly instead of weekly,

Updated.

[ahrtr]

lgtm

Thanks