Stream: coq-community devs & users

Topic: Dependency graph submission API


view this post on Zulip Théo Zimmermann (Sep 28 2022 at 06:46):

https://github.blog/changelog/2022-06-17-dependency-graph-has-a-rest-api-for-submitting-dependencies-detected-at-build-time/

I wonder if it would be worth adding support for dependency detection and submission to Docker-Coq-Action.

view this post on Zulip Guillaume Melquiond (Sep 28 2022 at 06:50):

I don't follow. Isn't that just Opam support? Is there something specific about the supply chain of Coq?

view this post on Zulip Théo Zimmermann (Sep 28 2022 at 06:57):

Nothing specific, or at least, I don't have it in mind, but in this blog post they provide an example of using this API from a GitHub Action for detecting Go dependencies. So, since we already have a GitHub Action for building / testing Coq projects, it could be a place to implement this dependency detection for Coq projects (reporting about opam dependencies).

view this post on Zulip Karl Palmskog (Sep 29 2022 at 13:33):

I took a look at the docs for dependency graph stuff, and from what I understand this is about exposing dependencies from many lower level tools like opam as part of the GitHub web API. From there, dependencies can be consumed by a variety of tools, for example, one can automatically draw a nice a repo dep graph without looking at .opam files

view this post on Zulip Karl Palmskog (Sep 29 2022 at 13:35):

right now, our best approximation of the Coq ecosystem dependency graph would have to come from parsing a bunch of .opam files in the Coq opam repo, which is imprecise/outdated

view this post on Zulip Théo Zimmermann (Sep 29 2022 at 17:18):

Instead of parsing and getting an approximate result, what about parsing the output of the opam install command from within the Docker-Coq-Action build process?

view this post on Zulip Karl Palmskog (Sep 29 2022 at 17:30):

ah, I meant approximate in the sense of: we can take a snapshot of the packages in the Coq opam archive, and read their dependencies from the .opam files in that snapshot. This won't cover upstream changes.

view this post on Zulip Karl Palmskog (Sep 29 2022 at 17:31):

doing something like parsing output of opam install and submitting to GitHub would be more accurate since it's in-repo, but one could also just parse the actual .opam file that's being processed in the repo in CI

view this post on Zulip Théo Zimmermann (Sep 29 2022 at 17:36):

Yes, it depends on whether we want just direct dependencies or transitive dependencies as well.

view this post on Zulip Karl Palmskog (Sep 29 2022 at 17:45):

normally, one would want the direct dependencies, I think


Last updated: Feb 04 2023 at 01:03 UTC