dependabot-azure-devops
dependabot-azure-devops copied to clipboard
tinglesoftware
It looks like the groups option is not working
Hello is it correct that this (beta) option is not supported? And if not are there any plans to add support to it? It would be extremely helpful
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-version-updates-into-one-pull-request
Correct.
This is not yet supported.
PRs are welcome though it may require building an updater similar to the GitHub's version.
@mburumaxwell Name a bounty for this and I'll sponsor you - no joke. This has been my #1 feat missing that I've been missing from Renovate and I really need this <3
@ColinKrist I can also help to match a bounty if someone wants to pick it up. Maybe something that can be listed on Bounty Source?
This is quite an interesting proposition. Curious what the offers actually are ...
I was going to try and DM you on Twitter / GitHub but your DMs are closed. Does $75 USD sound fair - wanted to ask about difficulty because I'd be willing to get this expensed from my employer. LMK
Opened Twitter DMs incase you need that.
I have no particular inclination on the bounty besides curiosity. Maybe I will once I have a clue on the amount of effort required.
Meanwhile, maybe you should post all the bounties on Bounty Source like this one https://app.bountysource.com/issues/123710224-pnpm-support
Done,
https://app.bountysource.com/issues/123710276-it-looks-like-the-groups-option-is-not-working
The azure pipeline task ecosystem community is small. I definitely want to give back and support you guys where I can and make sure you guys feel like the work amounts to something.
FYI @mburumaxwell has set the bounty for this at $500.
I've just committed to the cause as I agree this is a much-needed feature. If you're interested in getting this feature implemented and are able to contribute to funding the bounty, please do so using the link posted by @ColinKrist above.
You may have to use GH sponsors at your own convenience. Bountysource has serious problems:
https://github.com/bountysource/core/issues/1539
https://github.com/bountysource/core/wiki/Frequently-Asked-Questions#can-i-receive-a-refund-for-a-bounty-i-posted https://bountysource.com/contact-us/
I've sent in my request, but who knows how long it'll be in limbo.
@mburumaxwell once I get this money back I'll consider sending this over via GH. I'm hoping for something a bit more public to prevent misuse / guarantee the work will be done.
Will you start the work before receiving the funds for this feature? I should have set an expiration time on the bounty to prevent feature work limbo like this, so I apologize to anyone who has added funds to the bounty.
@ColinKrist No worries, none of us knew of the problems. Is the intention to withdraw the bounty and fund through another mechanism?
I paid through PayPal but convinced my (apparently rightly skeptical) organisation to reimburse me - I'll open a dispute with PayPal and seek a refund, then figure out how I can pay my org back.
The more important thing is that you get your money back instead of loosing it. Sponsoring on GH will be your choice and at your convenience.
Will the work be done before that? Yes, it appears we need PR grouping internally too. However, I can't promise any timelines because I know the amount of changes required.
@mburumaxwell wrote:
" because I know the amount of changes required."
Would you be able to share a rough outline of what you think needs to be done? I'm curious to give this a go myself but I don't know this codebase, so it'd be very helpful to hear an analysis from somebody who does.
Please do not use bountysource. Many devs have had trouble getting paid there. You can check out this lemmy community as an alternative https://lemmy.ml/c/bugbounties
For statements from devs who have been unable to cash out from bountysource see: https://github.com/bountysource/core/issues
It is now available in the stable version:
https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/
@RoystonS first step is to understand how grouping works in dependabot. Then plug that into the updater script while taking into account merge conflict resolution and closing of unwanted PRs. I pulled in code from the official updater but I haven't tested and the server side is not yet 100% ready to support it.
This still something that is being looked at implemented?
Yes but improving the updater to avoid the very lengthy file needs to happen first. Unfortunately, that seems to have stalled due to the amount of time it requires. Copying from the official updater does not seem to be a solution due to its complexity; meaning we need to write our own bearing in mind testability, resolution of merge conflicts for groups etc. It is also entirely possible that I am looking at this from the wrong angle and another set of eyes could go about it differently; that's why it is open source.
For the benefit of those looking on wondering why this isn't "just being done"... From what I can see, the difficulty is that, due to the way the original GitHub dependabot code is structured, quite a bit of logic from that codebase needs to be duplicated/forked in this package in order to make it work with ADO. It isn't simply a case of providing an ADO-specific implementation of some nice clean abstractions. This means that features like grouping require a lot more specific code in this repo than might otherwise be the case.
Really looking forward for grouping support. It is indeed the only feature we are currently missing for our configuration
Is there an update for this issue? We are really looking forward to it as well
Any update on this? We are looking forward to have grouping support as well.
No there are no updates. At this point, I am fairly certain that this will have to be a community contribution as we can't allocate time to anything significantly new here such as grouping support. I will leave this issue open for tracking purposes only. Should things change, someone will report back here. Until then, hit that snooze button.
PRs https://github.com/tinglesoftware/dependabot-azure-devops/pull/1186 and https://github.com/tinglesoftware/dependabot-azure-devops/pull/1216 will resolve this, if/when accepted.
@rhyskoedijk That's an immense contribution, thank you for the time and effort you've put into those PRs. I'm sure that this work will benefit a lot of people once it has been merged.
I previously contributed to a bounty for this feature, but the bounty ended up being cancelled. I'd be more than happy to re-contribute that money over you once this feature has been merged in. If you enable sponsorship on your GitHub profile, that is probably the best way for us to sponsor you.
I'd be more than happy to re-contribute that money over you once this feature has been merged in.
I appreciate the offer, but that's not necessary. If anybody, sponsor the owner of the repo for keeping this project going and actively maintaining it.
Thanks for your work, i'm looking forward to try this out. Should this already work (Image 1.30)?
