Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?
https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every weekday
interval: "daily"
You can also see the necessary configurations in the table of the GitHub documentation.
Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.
HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.
It'll also give you more control.
Related
I am trying to configure dependabot.yml to get security updates for GitHub Actions.
I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:
I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv#v1 action, which has a GHSA.
I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.
Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.
Can you help me understand why is my configuration not working? Or if it's not supported?
All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.
It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos
For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.
Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.
We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds).
There is no clear hint in the docs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) to do this.
We already tried to exclude dependabot branches, but that does not work in any form.
# Azure DevOps Excludes
pr:
autoCancel: "true"
branches:
exclude:
- dependabot/*
- dependabot/**/*
We also found the hint on Stack Overflow to set the limit to 0, but still PRs are created
version: 2
updates:
- directory: "/"
open-pull-requests-limit: 0
Any possibility to use Dependabot just as information source?
Go to Security -> Dependabot -> Configure -> Manage Repository Vulnerability Settings. (This should take you to a URL like https://github.com/yourusername/yourreponame/settings/security_analysis.)
Leave the "Dependabot alerts" setting enabled but ensure the "Dependabot version updates" setting is disabled.
If you've previously enabled "Dependabot version updates", you'll have a .github/dependabot.yml file in your repo, whose purpose is to configure Dependabot's automatic updates. To disable them, delete dependabot.yml.
In pictures:
You will now still be able to view security alerts about your dependencies on GitHub, but Dependabot will not open PRs for them.
By default, Dependabot will automatically reset pull requests to resolve any conflicts. If you prefer to handle merge conflicts manually, you can disable this feature with the rebase-strategy option.
For rebase strategies, using disabled to disable automatic rebasing.
Setting this option will also affect pull requests for security updates to this package manager's manifest file, unless you use target-branch to check for version updates on non-default branches.
For rebase-strategy example,
version: 2
updates:
- directory: "/"
schedule:
interval: "daily"
# Disable Dependabot pull requests
rebase-strategy: "disabled"
The context is as follows: -
I configure my GitHub CI workflow file (the YAML file) such that the workflow runs only when there are changes to certain directories:
name: testing
on:
pull_request:
branches:
- develop
paths:
- 'dir_1/**'
- '!dir_1/README.md'
- 'dir_2/**'
- '!dir_2/README.md'
I have set a branch protection rule on the develop branch that makes a merge into it possible only when the status checks are successful.
Now when I create a branch based off of the develop branch, make some changes to dir_3 (please note it is different from dir_1 and dir_2 mentioned in the YAML file code snippet), push that branch and create a pull request, GitHub expects status checks to be completed and merging is blocked till the time they are, as follows:
When I check the Actions tab, I find no action running.
So the merging is blocked indefinitely. I think that's because the branch protection rule and the YAML file code snippet contradict each other (the branch protection rule is waiting for the status check to be completed but due to the restriction in the YAML file, no status check is run). I have the following questions: -
Is my reasoning correct?
If yes, is there a way to protect certain subdirectories of a branch instead of the whole branch on GitHub? I want to allow merging if the 'protected subdirectories' are unchanged.
If the answer to 1 is yes and 2 is no, is there some other way to allow merging if the subdirectories not specified in the YAML file are changed (while retaining the branch protection rule)?
Thank you for taking the time to read the question.
On Googling the question, I found this result but it wasn't very helpful.
One of my office colleagues suggested an alternate solution to the above problem. Using paths-filter action instead of using the paths or paths-ignore key as mentioned in the Github Actions documentation solves the problem. So if the changed path is not supposed to trigger a step in a workflow, the step will be shown as skipped while running the tests and GitHub will not wait indefinitely for the tests to finish running (i.e. it will show that the pull request can be accepted).
This problem is also described in this comment of the issue. My colleague has posted the solution as a comment in the same issue. You can refer to it to see how the paths-filter action can be used to solve the above issue.
If someone has a better solution to solve this problem, please do post it. For now, I am marking this as the accepted solution. Thank you.
I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly"
I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1
version: 1
update_configs:
- package_manager: "dotnet:nuget"
directory: "/"
update_schedule: "monthly"
allowed_updates:
- match:
update_type: "security"
Let me know if you had the same issue and how you resolved it.
Thanks
According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:
open-pull-requests-limit: 0
This means it will only create security updates.
Yeah, I was having the same problem, then I found out something like this github community thread.
I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:
You’re using unsupported features
This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.
It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.
Let me know if that helps.
The project that I am working on is a jQuery plugin. I have managed to get Travis CI to build a test project using Gulp/NodeJS successfully. Now I am trying to work out what workflow to use to bump the version number.
In TeamCity and MyGet there is a setting in the CI server to form a version number pattern that auto increments on each build, which can be used by the build script to update versions in the deployment files and to label the Git repo. However, in the free version of Travis CI, there doesn't seem to be an option for versioning at all.
I have read several articles on continuous deployment with Travis CI, here, here, and here, but none of them even broach the topic of versioning. Obviously, the version needs to be changed for the release. So what am I missing here?
Another problem I noted when going through the documentation is that it mentioned that Travis CI is not able to update the GitHub repository. Doesn't that basically mean it won't be able to create a Git tag?
If there is no way to version from Travis CI, then what is the typical workflow for the release process for such a plugin? Is the versioning always done manually? If so, how could there be "continuous deployment"?
Before it starts running the instructions in your .travis.yml file, Travis will set a bunch of environment variables (in the VM that is building your project) with various bits of information about your build, such as what branch is being built and so on.
You probably want one of these:
TRAVIS_BUILD_NUMBER: The number of the current build (for example, “4”).
TRAVIS_JOB_NUMBER: The number of the current job (for example, “4.1”).
But it's going to be very difficult to do anything sensible if you don't have control of the repository, because you'll need to upload a .travis.yml file into the root of your source code folder, otherwise Travis won't know what to do.
Use bumped for release versioning. When you're satisfied with the changes in master, run:
bumped release <major|minor|patch>
After you push the changes, either directly or through a release PR, you can check for the presence of new tags in Travis CI and publish the package to the registry automatically.
If you consider that every PR must end up to your enduser without thinking of the impact of such changes, then your version numbers have no meaning.
You don't give your user a way to know if it is a major change that break compatibility or a bug fix. You don't allow him to get update without worrying about backward compatibility.
Currently, the commit id is your version number.
If you want to give meaning to your version numbers then you have to think of the impact of your pull requests on the enduser (http://semver.org/). You have to choose a version number for a specific PR or a group of PR.
So basically, since you have to 'think' of a certain version number for a specific version that you want to deliver, you can't automate this process.
Release/tag creation is the way to go : )
You can accomplish this by setting up a script that would create a ~/.netrc file to access the repository. In this file you can specify something like:
machine https://github.com/xxx/yyy.git
login <blah>
And instead of putting in your credentials, you can pass an github access token. You can use the travis encrypt to register it in the .travis.yml file, and export the variable for your script's use. From there in your script, you can issue regular git commands such as:
git add <some file>
git commit -m "This is $TRAVIS_BUILD_NUMBER"
git push origin <branch>