dependabot-azure-devops
dependabot-azure-devops copied to clipboard
tinglesoftware
Migration from explicit inputs to configuration file for multiple repositories in single pipeline
To resolve the warnings regarding migration of the inputs we ran into a couple of issues.
The first is already covered in #327
The other problem that we have is that we use a single Azure DevOps pipeline to run the DependaBot task for multiple repositories in our project, for example:
steps:
- task: dependabot@1
displayName: Dependabot | API
inputs:
packageManager: 'nuget'
azureDevOpsAccessToken: $(pat)
directory: api/
targetRepositoryName: 'ado-project/api/'
setAutoComplete: true
extraEnvironmentVariables: AZURE_PROJECT=ado-project
- task: dependabot@1
displayName: Dependabot | Webapps
inputs:
packageManager: 'npm'
azureDevOpsAccessToken: $(pat)
directory: 'webapps/'
targetRepositoryName: 'ado-project/webapps'
setAutoComplete: true
extraEnvironmentVariables: AZURE_PROJECT=ado-project
How would we differentiate between the multiple repositories that we are targeting on our pipeline?
@AdeZwart
Your yaml looks mostly file to run for multiple repositories. However, pass the repository name in the targetRepositoryName not the slug. For example: targetRepositoryName: 'webapps'. This value should match the one present in the Build.Repository.Name environment variable as described here.
I am unsure if we have ever supported cross project updates because the AZURE_PROJECT environment variable has never been overridden in the task but can be overridden if you run the Docker container directly.
Re-reading this issue I realized it was pretty unclear.
Currently we are successfully running this pipeline to have Dependabot open PR's on both repositories. It has even worked cross project, but we should clean that up as they currently don't run cross project anymore.
The actual issue I had is regarding the following warning we currently get on our pipeline:
This leads me to the documentation describing we need to use a file ./azuredevops/dependabot.yml followed by a task looking like this:
- task: dependabot@1
inputs:
useConfigFile: true
This task doesn't specify the targetRepositoryName, so I was under the impression that I couldn't have a single pipeline for multiple repo's anymore. Looking at this with fresh eyes again, I'm wondering if I could still use the targetRepositoryName property and just end up with something like:
steps:
- task: dependabot@1
displayName: Dependabot | API
inputs:
useConfigFile: true
targetRepositoryName: 'api'
- task: dependabot@1
displayName: Dependabot | Webapps
inputs:
useConfigFile: true
targetRepositoryName: 'webapps'
@AdeZwart your example is the correct way to handle multiple repositories in one pipeline.
Hi @AdeZwart , I have done further investigation and it appears this will not work because we read the configuration file from the current repository. Related to #357
I really hope there will be an option to still support this. We have loads of projects that we now manage with only one job. With this change we need to create a lot of seperate jobs, that needs to be maintained separately. Would create a lot a of work for us :(
@mburumaxwell Can we maybe get an update on this? And if this is the way forward, maybe an explanation why it is beneficial to not allow the targetRepositoryName property. Like I've explained before, we have a lot of project depending on this, I would be a shame to change this if the argument is 'just because'.
We do exactly the same, we have a single pipeline update multiple repos in a single project. Do it this way really helps us to organise this, and stop you having loads of separate pipelines.
We've tried moving to the new way yaml file but hit exactly the same issue.
We also do something like this:
steps:
- ${{ each repo in parameters.repositories }}:
- task: dependabot@1
displayName: ${{ repo }}
inputs:
azureDevOpsAccessToken: ${{ parameters.azureDevOpsAccessToken }}
packageManager: 'nuget'
versioningStrategy: 'auto'
targetRepositoryName: ${{ repo }}
openPullRequestsLimit: ${{ parameters.pullRequestsLimit }}
gitHubAccessToken: ${{ parameters.githubAccessToken }}
milestone: ${{ parameters.workItem }}
But am I understanding correctly targetRepositoryName is not supported with a config file? The way we have set it up now it's super easy to add a new repo (we just add the name to an array in the yaml and then it works).
Removal of explicit inputs in favour of the configuration file is still planned though having been pushed ahead since July/August.
In #444, support for multiple repositories (via targetRepositoryName) when using dependabot.yml was added which works by making a HTTP request to Azure DevOps API.
You will still need to add dependabot.yml file to each repository that needs to be updated even though the pipeline is shared.
@mburumaxwell just to clarify: this pr fixes that you can now use targetRepositoryName and useConfigFile and it will look for that config file in the repository of targetRepositoryName ?
@mburumaxwell just to clarify: this pr fixes that you can now use
targetRepositoryNameanduseConfigFileand it will look for that config file in the repository oftargetRepositoryName?
Correct
Sounds like an awesome solution! Do I need to wait for a release or is it already testable at this moment?
@Rutix The latest version (0.13.0) is available and you should be able to use it in your organization. Changes documented here.
@AdeZwart , kindly check if you are now sorted.
Happy holidays.
now the dependabot.yml is used is there a equivalent for setAutoComplete and gitHubConnection that were available in the inputs? Don't see them listed in the schema
now the dependabot.yml is used is there a equivalent for
setAutoCompleteandgitHubConnectionthat were available in the inputs? Don't see them listed in the schema
Those are still supplied via the inputs. Only inputs that can be supplied via the configuration file were removed.