evergreen icon indicating copy to clipboard operation
evergreen copied to clipboard
verified publisher icon github

Detect new ecosystems

Open vidwah-nte opened this issue 1 year ago • 4 comments

Is your feature request related to a problem?

If you have a dependabot.yml with config for e.g. ecosystem maven, then add a new ecosystem in the same project (i.e. npm), then evergreen won't try to update dependabot.yml to include npm.

Describe the solution you'd like

A new PR/Issue should be created when a project contains a dependabot.yml-file, but with missing ecosystems.

Describe alternatives you've considered

No response

Additional context

No response

vidwah-nte avatar Apr 25 '24 12:04 vidwah-nte

A better example may be the github-actions ecosystem, which is easy to forget when creating a dependabot.yml. We have numerous projects that currently don't have a pipeline, only source code. This action will helpfully tell us that we're missing dependabot for i.e. maven or npm ecosystem. When we later add a pipeline to build & deploy the project, this action sadly won't tell us that we're missing the github-actions ecosystem.

ghost avatar Apr 25 '24 12:04 ghost

@vidwah-nte Great idea. Thank you for sharing.

May be able to tie this in with #29

Update: And #4 (closed now as duplicate) (thanks @zkoppert for mentioning that to me)

jmeridth avatar Apr 25 '24 14:04 jmeridth

Thank you for suggesting this! I agree this is a very valuable change that we would love to have for our use at GitHub as well. One implementation detail to keep in mind here is that we don't want to repeatedly ask everytime the tool runs for them to add an ecosystem that they have previously been asked about so we will need to ensure we are properly detecting closed PRs around those and skipping those. Could get a little tricky but still a solvable problem.

zkoppert avatar Apr 25 '24 18:04 zkoppert

An alternative to checking whether there's already been a PR (for ecosystems people don't want in their project), is to instruct users to comment out ecosystems (but leave them in the dependabot.yml file). That, or instructing users to add some sort of # evergreen-ignore-ecosystems: maven,npm annotation in the dependabot.yml file. This might be easier to implement rather than going through PRs in the project. Not going to argue this is a better solution, I'll just add it as a possibility to be considered.

ghost avatar Apr 26 '24 11:04 ghost