dependabot-script icon indicating copy to clipboard operation
dependabot-script copied to clipboard

Published 20 hours ago verified publisher icon dependabot

.dependabot/config.yml ignored

Open mohitmutha opened this issue 5 years ago • 5 comments

We have a private gitlab installation and I have configured the dependabot-script and schedules for some of the repos.

One of the repo has a .dependabot/config.yml in the root and I was expecting that the dependabot-script job will read the config.yml but it did not.

How do I make it read my config.yml ?

mohitmutha avatar Jan 08 '20 12:01 mohitmutha

I've just discovered this same problem.

There are a few things at play here. I think that https://github.com/dependabot/dependabot-core can take all of the configuration options as arguments to things like the Dependabot::PullRequestCreator.new call that is happening in this script, but something would need to grok all that info out of the config file.

Additionally I can't seem to find any Config parsing code in the dependabot-core source, and would be hesitant to re-write that parsing.

Lastly, the script seems to be a run once per repo/package_manager combination, so even if the config options were grok'd out, you'd need to grok for the ones relevant to the current PACKAGE_MANAGER environment variable, and then decide if the config should override the options that are supported via ENV vars in this script, such as GITLAB_AUTO_MERGE for example.

Alternatively, the default for PACKAGE_MANAGER could be removed, in which case all options listed in the config file could be looped, but this might be a big breaking change for some people.

tigris avatar Jan 09 '20 02:01 tigris

I've just discovered this same problem.

There are a few things at play here. I think that https://github.com/dependabot/dependabot-core can take all of the configuration options as arguments to things like the Dependabot::PullRequestCreator.new call that is happening in this script, but something would need to grok all that info out of the config file.

Additionally I can't seem to find any Config parsing code in the dependabot-core source, and would be hesitant to re-write that parsing.

Lastly, the script seems to be a run once per repo/package_manager combination, so even if the config options were grok'd out, you'd need to grok for the ones relevant to the current PACKAGE_MANAGER environment variable, and then decide if the config should override the options that are supported via ENV vars in this script, such as GITLAB_AUTO_MERGE for example.

Alternatively, the default for PACKAGE_MANAGER could be removed, in which case all options listed in the config file could be looped, but this might be a big breaking change for some people.

In that case, is it possible to specify some environment variable or parameter to the dependabot-script so that only security / vulnerability updates are processed?

mohitmutha avatar Jan 10 '20 06:01 mohitmutha

Certainly possible. I could have a crack at implementation but not sure which way the maintainers would like to go.

Also the current build is in a fail state, leading me to think it may be unmaintained?

tigris avatar Jan 10 '20 07:01 tigris

Can you give some pointers where the change will be required. Would like to try it out in a forked repo.

mohitmutha avatar Jan 10 '20 10:01 mohitmutha

Any progress here?

gperdomor avatar Jul 10 '20 14:07 gperdomor