So I'm using github dependabot v2 and have this config:
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 100
allow:
- dependency-type: all
I want it to check for updates whenever I make a push / change.
How do I do this?
You cannot do this with dependabot and likely they will never implement it. It is supposed to run separated on schedule as it is itself likely to produce a PR.
Also there no (practical) way to run it locally, especially after github bought them.
dependabot its separate application, thus it has its own lifecycle. It has its own metadata store and runs against it for creating PRs daily, weekly, and monthly.
It used to have live checks, I saw that checking interval got removed in v2.
Related
I'm using github actions cache for persisting remotely downloaded dependencies from tests across CI executions. https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
The issue I'm having is that I only want the action write to the cache when it's running on the push action on the master branch. If the action is a pull_request, I'd like it to read from the cache, but not write to it.
The reason for this is that caches that are originated from master are mostly reusable for any PR, but caches generated from a PR may not be super useful for other CI invocations because the code is yet to be reviewed and the developer may be trying out things which may just mess up the cache for other invocations.
Right now I'm doing something like this
- name: Cache packages
uses: actions/cache#v3
with:
key: 'cache-${{ github.event_name }}'
restore-keys: |
cache-push
path: |
/path/to/cache
This way I have 2 cache keys, one for PRs and one for master, master will always use the cache from he previous master invocation because it will only match cache-push, but prs will use a different key, cache-pull_request and fallback to cache-push if it doesnt exist. This way master pushes never use a cache that was generated from a pr, only caches that were generated from the previous master push.
Ideally I'd like the cache-pull_request key to not even exist and just have PRs use cache-push but not write to it at the end of the execution. Is this possible?
EDIT: Github Actions now officially supports this as of version 3.2.0!
Original comment:
I've been looking for the same thing and unfortunately it does not seem to be possible. There are open PRs and issues in the repo on Github
https://github.com/actions/cache/pull/489
So until it get merged or implemented in some other way it is not a possibility with the official Github cache workflow.
I also noticed that this PR had been closed
https://github.com/actions/cache/pull/474
The author closed it himself due to inactivity, but forked it to another repo and implemented it there. See https://github.com/MartijnHols/actions-cache
I have not used this repo myself but it might be worth checking out
Check actions/cache/restore#v3 and actions/cache/save#v3.
You can restore or save cache separately.
We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds).
There is no clear hint in the docs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) to do this.
We already tried to exclude dependabot branches, but that does not work in any form.
# Azure DevOps Excludes
pr:
autoCancel: "true"
branches:
exclude:
- dependabot/*
- dependabot/**/*
We also found the hint on Stack Overflow to set the limit to 0, but still PRs are created
version: 2
updates:
- directory: "/"
open-pull-requests-limit: 0
Any possibility to use Dependabot just as information source?
Go to Security -> Dependabot -> Configure -> Manage Repository Vulnerability Settings. (This should take you to a URL like https://github.com/yourusername/yourreponame/settings/security_analysis.)
Leave the "Dependabot alerts" setting enabled but ensure the "Dependabot version updates" setting is disabled.
If you've previously enabled "Dependabot version updates", you'll have a .github/dependabot.yml file in your repo, whose purpose is to configure Dependabot's automatic updates. To disable them, delete dependabot.yml.
In pictures:
You will now still be able to view security alerts about your dependencies on GitHub, but Dependabot will not open PRs for them.
By default, Dependabot will automatically reset pull requests to resolve any conflicts. If you prefer to handle merge conflicts manually, you can disable this feature with the rebase-strategy option.
For rebase strategies, using disabled to disable automatic rebasing.
Setting this option will also affect pull requests for security updates to this package manager's manifest file, unless you use target-branch to check for version updates on non-default branches.
For rebase-strategy example,
version: 2
updates:
- directory: "/"
schedule:
interval: "daily"
# Disable Dependabot pull requests
rebase-strategy: "disabled"
Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?
https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every weekday
interval: "daily"
You can also see the necessary configurations in the table of the GitHub documentation.
Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.
HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.
It'll also give you more control.
I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly"
I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1
version: 1
update_configs:
- package_manager: "dotnet:nuget"
directory: "/"
update_schedule: "monthly"
allowed_updates:
- match:
update_type: "security"
Let me know if you had the same issue and how you resolved it.
Thanks
According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:
open-pull-requests-limit: 0
This means it will only create security updates.
Yeah, I was having the same problem, then I found out something like this github community thread.
I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:
You’re using unsupported features
This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.
It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.
Let me know if that helps.
I have email and slack notifications configured for travis build failures. Currently It sends notifications for build failure of every branch. Since every developer does creates lot of branches, the mails come in a large number which sound like spam. I would want to restrict the mails only for failures of develop branch.
My configuration in .travis.yml is something like this.
notifications:
email:
recipients:
- xyz#abc.com
branches:
only: develop
on_success: change
on_failure: always
Is this branch specific alerts are really supported, if yes how do you do it ?
For your specific query about if branch specific notification is supported by Travis currently, the answer is NO. Below is from the Travis documentation:
There is currently no way of limiting the notification to a specific branch, but the payload will contain all relevant data to do so at the receiving end
So currently the branch specific notification is not supported by Travis, but would need to be implemented separately by consuming the webhook payload from Travis.
Update:
(Courtesy #LucasCimon) There is an open GitHub issue to track this feature request.