Dependabot preview not submitting pull requests #3523
Comments
|
Would you mind upgrading to GitHub-native Dependabot (you can do so from https://app.dependabot.com) and trying again? Now that we're GA built in to GitHub we aren't planning on spending much time fixing issues with preview. If you migrate and it's still broken, we can investigate further. |
|
Hi thanks for getting back to me. In general I have migrated all of my repos away from preview and onto native. The reason why we are sticking with preview for this specific repo is because preview allows automerged updates. This feature has been removed in native and it is valuable for us on this repo so the plan was to hold out on preview until we absolutely have to move. Last time I researched this there wasn't really a good solution or migration path for users relying on this feature although I haven't actively looked into it since #1823 (comment) . Is there now a clearer path forward on this or is the option still just lose access to that feature? I have not found any documentation explicitly stating that dependabot preview is abandoned/unsupported (I did search for that before raising this issue) but if you're saying there is no avenue to getting this fixed on preview we will evaluate where we go next. Cheers |
|
Totally understand. I've slowly been consolidating automerge into #2268, but the short answer is that we don't plan on supporting it natively due to the potential for quick propagation of malicious packages. Using a third party app or an Action is the best solution if you're dead set on it. As for documentation around the future of preview, it's coming shortly. |
|
The same problem occurs in our repositories with dependabot-preview + npm. |
|
same happening here. dependabot-preview no pull request was created. |
@chris48s automerge is easy to add in, take a look at how I do it with .NET Core on my CI workflows in https://github.com/Elskom/Sdk/ Yes this time I done all the research and work for you and anyone looking at this issue has permission to copy my workflows and edit it to how they want. Also for automerge if you want to have it build the merged results, you must make a separate BOT user, add it to your orgs (if user repository add them as contributor), then make an PAT and add that as an repository secret (if user repository) or organization secret (if organization repository). After that is done you will get back everything that dependabot preview allowed. Note: with automerge action it does not work when the user opens an pr from fork, my workflow on automerging only works from feature branches. Likewise not everyone wants rebase merge on the automerge action and want them squashed, but it would be nice if I could do both rebase AND squash merge the pr using that action. Yes I despise merge commits with a passion with them not making the history linear. |
|
👋 I'm working on a fix for this, we made a change to how we parse registry details in npm/yarn and missed this change in preview. |
|
This should be fixed now, thanks for reporting! |
|
Thanks for resolving this. 👍 I appreciate dependabot-preview is nearing EOL and everyone wants to work on the new shiny thing not the old boring thing :) I am straying off the original topic a bit here. We can move the discussion to another issue if you want, but I'll follow up on one comment here:
I've seen a few different GH action based solutions to this, but from what I have seen most of them either blanket auto-merge/auto-approve everything if the build passes (which is definitely not what we want - far from being "dead set on it", we automerge in quite specific situations) or give you less granularity than what dependabot-preview does which is why we've stuck with it. Our current setup is quite specific - we have a certain number of linting/testing dependencies which we auto-merge and only do that for minor/patch release. We still require a manual review for major version bumps: Thanks |
|
@chris48s seems like folks like https://github.com/chdsbd/kodiak which contains the semver functionality (https://kodiakhq.com/docs/config-reference#mergeautomerge_dependenciesversions) but not the dependency name/type (though I think that having an action add a label and setting the automerge labels in Kodiak would likely work). |
|
Cheers. I hadn't seen that one - I will add it to the list of options to look at. |
Hello.
We are using dependabot preview/v1 on https://github.com/badges/shields
We didn't get any PRs for new packages last week so I tried manually running a "bump now".
The run claims success but none of the PRs it says it was going to create in the logs were opened. For example:
...we didn't get a PR bumping xmldom to 0.6.0
...no PR bumping concurrently to 6.0.2 either.
etc
The log for the run is at https://app.dependabot.com/accounts/badges/update-logs/77180287
(can paste in full if needed)
Package ecosystem
NPM
Package manager version
>=7.0.0Language version
Node 12
Manifest location and content prior to update
https://github.com/badges/shields/blob/master/package.json
https://github.com/badges/shields/blob/master/package-lock.json
dependabot.yml content
https://github.com/badges/shields/blob/master/.dependabot/config.yml (we're using preview)
Updated dependency
N/A
What you expected to see, versus what you actually saw
PRs opened on repo for packages that needed updating
Native package manager behavior
N/A
Images of the diff or a link to the PR, issue or logs
The log for the run is at https://app.dependabot.com/accounts/badges/update-logs/77180287
🕹 Bonus points: Smallest manifest that reproduces the issue
Suspect this is N/A. The log output implies that the manifest parsing is not the problem here.
The text was updated successfully, but these errors were encountered: