Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read from dependabot.yml file #716

Open
craigta opened this issue Dec 11, 2021 · 2 comments · May be fixed by #888
Open

Read from dependabot.yml file #716

craigta opened this issue Dec 11, 2021 · 2 comments · May be fixed by #888

Comments

@craigta
Copy link

craigta commented Dec 11, 2021
edited
Loading

hi, I'm not sure where to ask the question so I'm posing here. Happy to engage wherever necessary for help

My setup is:
I have my code in Azure Devops
I'm using the docker image provided via dependabot-script
I'm running this locally for now and will integrate the docker image run into our Azure Devops setup next

My goal:
I want to run dependabot to update our nugets at the patch level, I don't want it to make updates to major/minor. I also wanted to 'slow drip' the updates -- IE: Only send in 1 or 2 to start with and I would run the script on a schedule to do this, say weekly or so to start with, and to allow individual depot to tweak this per their liking

To do this, I wanted to run dependabot and have it ignore major and minor updates and set a pull request limit. I found the dependabot.yml configuration details, but I'm having trouble with getting the dependabot-script to read from the yaml to make use of my config, which I want to be checked in per devops endpoint

I want to run the dependabot-script against other depots, with each depot defining their own configuration of things to upgrade and check

I created a folder .github and placed a dependabot.yml with these contains there:
version: 2
updates:

  • package-ecosystem: "nuget"
    schedule:
    interval: "daily"
    open-pull-requests-limit: 1
    ignore:
    • dependency-name: "*"
      update-types: ["version-update:semver-major", "version-update:semver-minor"]

Any ideas on how to get this file read, if I need to place somewhere else, or if there is another way to provide this level of config?
@rimas-kudelis
Copy link
Contributor

@craigta that documentation is for Github-native Dependabot. I don't think dependabot-native will read that file for you, just like it won't read the pre-github .dependabot/config.yml.

With dependabot-script, pretty much everything is configured via environment, and it seems like the configuration options are, sadly, rather limited.

However, since the Docker image simply runs generic-update-script.rb, you could extend that script to support additional options. Heck, even I could probably do that (with my zero knowledge of Ruby), since they don't require tests in this repo. 😀 The relevant class in this case seems to bet Dependabot::UpdateCheckers which is used here:

dependabot-script/generic-update-script.rb

Lines 173 to 177 in 4330ff7

checker = Dependabot::UpdateCheckers.for_package_manager(package_manager).new(
dependency: dep,
dependency_files: files,
credentials: credentials,
)

The class itself is here and it seems to accept way more arguments than used in the generic-update-script.rb script.

@craigta
Copy link
Author

craigta commented Feb 25, 2022

@rimas-kudelis update checker only takes ignore_versions, not the full set of IgnoreConditions that would allow what I'm looking for. So I can pass in an array of versions like:
ignore_versions = [
">= 0, <= 15"
]

But that doesn't give me the ability to skip major/minor versions as far as I can tell. Open to ideas, but doesn't seem to support by default. I see there is some UpdateConfig that does something with the IgnoreCondition object, but still trying trying to figure out how that works (new to Ruby at the moment, but learning!)

@adambenali adambenali linked a pull request Jan 17, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for configuration files adambenali/dependabot-script
2 participants
@rimas-kudelis @craigta