dependabot-core
dependabot-core copied to clipboard
Consider creating the PR even if pulling the metadata fails
While the additional metadata that Dependabot brings with the PRs are nice to see and add a lot of value, generally what we truly care about is the update itself and not necessarily the metadata associated with it.
https://github.com/dependabot/dependabot-core/blob/9e6d16c1bc7375b5cf13966908249c555c0e271d/common/lib/dependabot/pull_request_creator/message_builder.rb#L56
https://github.com/dependabot/dependabot-core/blob/9e6d16c1bc7375b5cf13966908249c555c0e271d/common/lib/dependabot/pull_request_creator/message_builder.rb#L289
I believe that we should have an option to make the metadata details optional rather than to fail the PR entirely when it fails to pull it.
Do you have any logs of a Dependabot run where it worked successfully enough that it should have created the PR, but instead bombed out the metadata step failed?
I haven't stepped through the code, but my hunch is that at least some of the metadata has to be fetched successfully for us to be certain it's okay to create the PR... but I agree that once it's to that point, it's probably okay to finish creating the PR even if further metadata fetching throws errors...
But tackling this isn't really tractable without concrete examples.
Do you have any logs of a Dependabot run where it worked successfully enough that it should have created the PR, but instead bombed out the metadata step failed?
I run dependabot-script
within a Corporate environment so my logs won't be as useful.
Essentially, the PR builder fails when it tries to fetch the metadata. In particular when it tries to fetch the commits and/or release notes as it readsscm
configuration(for maven) and then tries to connect to github.com when the firewall is blocking external calls
In my opinion, all the metadata information are "nice to have" that should not become a blocker while trying to build the pull requests
To me, the actual upgrade is what matters and if metadata information is not available we can fetch it from other sources even if we need to do it manually.
In my opinion, all the metadata information are "nice to have" that should not become a blocker while trying to build the pull requests To me, the actual upgrade is what matters and if metadata information is not available we can fetch it from other sources even if we need to do it manually.
Agreed.
Unfortunately, given our current priorities, we're unlikely to get to this this anytime soon.
Want to submit a PR? Should be relatively straightforward given you're already familiar with where in the code this is bombing out...