Make it possible to validate Dependabot config before it lands on main
#4605
Comments
|
Same issue here... |
|
The Dependabot app registers a "CheckRun" in GH whenever the config file changes: https://github.com/dependabot/dependabot-core/runs/4327679442 Does that help? |
|
@jurre Not really, as the See also: #3878 |
|
@hfhbd ah yes, that's still not working :( I'll see about getting that prioritized. |
|
In an effort to be transparent, I just investigated this a little and it seems the issue that prevents the check from running on PRs is fairly deep inside GitHub itself, and will require us to rejig some things internally so unfortunately not an easy fix. Will still try to get it prioritized either way, but just might take a little longer for us to roll out a fix because it involves changing a bunch of moving parts :( |
jurre
added
T: feature-improvement
|
👋🏻 Just removing the needs-triage as we've been looking at this internally. There is some work we want to do around Dependabot configuration and enablement, so I've made a note of this problem as part of that. I don't have anything to share right now, but this is something we'd like to do better on. |
jeffwidman
changed the title
main
jeffwidman
changed the title
mainmain
|
I realize the original post title was asking for a stand-alone validator, but I suspect the real intent here is to make it possible to validate the config before it lands on That could be implemented via a standalone validator, but as discussed later in this issue's comments, it could also be via a check that runs on the PR before merge. So I reworded the title to focus on the problem, rather than describing only one possible fix implementation. And yes, we do very much want to resolve the hurdles mentioned in #4605 (comment) and get this resolved. |
|
I just noticed that the GH action that validates I'm a bit surprised because AFAIK we didn't make the the internal changes described in #4605 (comment). The only thing that is different from a normal PR is that I updated the PR with a rebase off |
|
I just noticed the check also ran on this PR branch: https://github.com/dependabot/cli/pull/17/checks?check_run_id=8862312262 And that PR doesn't touch Given that we haven't made internal changes, I suspect this is caused by an unrelated race condition of some sort, but I don't have time to dig into that right now. So just leaving a breadcrumb if we keep seeing this occasionally and want to investigate. |
## Which problem is this PR solving? Our dependabot PRs are failing CI checks because of the PR title validation check. Instead of getting the PR title validation check to ignore dependabot PRs, I thought it would be better to add the correct semantic prefix to dependabot PRs instead. - Updates honeycombio/telemetry-team#389 ## Short description of the changes - Adds semantic prefix `maint` to all dependabot commits / PRs ## How to verify that this has the expected result Unfortunately, it doesn't seem like we can validate dependabot config changes without merging them in according to [this issue](dependabot/dependabot-core#4605). I think this should work as expected based on: - [The dependabot docs for `commit-message`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message) - [The code adds a `:` and a space automatically ](https://github.com/dependabot/dependabot-core/blob/main/common/spec/dependabot/pull_request_creator/pr_name_prefixer_spec.rb#L248)
following [this comment](#1628 (comment)) from @kristovatlas This action seems to only validate the JSON schema. For full validation, it's on GitHub to provide this -- tracked in this issue: dependabot/dependabot-core#4605
following [this comment](gnolang#1628 (comment)) from @kristovatlas This action seems to only validate the JSON schema. For full validation, it's on GitHub to provide this -- tracked in this issue: dependabot/dependabot-core#4605
Current upstream validator is still under work and tracked as dependabot/dependabot-core#4605.
Current upstream validator is still under work and tracked as dependabot/dependabot-core#4605.
Current upstream validator is still under work and tracked as dependabot/dependabot-core#4605.
This PR should enable dependabot to check our web UI ecosystem. We use yarn workspaces so (I believe) we have to target each individual package.json in order for it to be updated. As far as I'm aware, I haven't found a way to [validate a dependabot.yaml file before letting it run](dependabot/dependabot-core#4605) so this may need to be iterated on. I've tried to split up the responsibility for each package around the web team (connect team takes /teleterm, ryan helps with /build). Change ecosystem name to npm According to the docs, although yarn is a valid ecosystem, the job is now asking for npm. I'm not sure if this will use yarn to update the yarn.lock or not
This PR should enable dependabot to check our web UI ecosystem. We use yarn workspaces so (I believe) we have to target each individual package.json in order for it to be updated. As far as I'm aware, I haven't found a way to [validate a dependabot.yaml file before letting it run](dependabot/dependabot-core#4605) so this may need to be iterated on. I've tried to split up the responsibility for each package around the web team (connect team takes /teleterm, ryan helps with /build). Change ecosystem name to npm According to the docs, although yarn is a valid ecosystem, the job is now asking for npm. I'm not sure if this will use yarn to update the yarn.lock or not
|
I ran into this myself after merging a bad config into main (which was previously valid somehow). Some weird behavior here. Why didn't it run previously on the PR that ended up breaking, but now it runs on the subsequent PR to fix it? |
|
I'm sharing this here in case anyone finds it useful. If your Dependabot config file is located at npx -y @bugron/validate-dependabot-yaml@latestI also needed to validate a Dependabot config file without committing to the default branch first so I've published a CLI tool @bugron/validate-dependabot-yaml that does exactly that and more. It is capable of logging validation errors both in Markdown and JSON so can naturally used in GH Actions for sticky comments and post-processing errors. Note, the tool isn't perfect, but should do the job. |
…until it works? 2/n Ref dependabot/dependabot-core#4605
s/exclude_patterns/exclude-patterns [1]. Since an official native validation solution doesn't exist yet [2] that would work reliably, @bugron/validate-dependabot-yaml was used to validate this typo fix. [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups [2] dependabot/dependabot-core#4605 [3] https://www.npmjs.com/package/@bugron/validate-dependabot-yaml Signed-off-by: Erik Skultety <eskultet@redhat.com>
s/exclude_patterns/exclude-patterns [1]. Since an official native validation solution doesn't exist yet [2] that would work reliably, @bugron/validate-dependabot-yaml was used to validate this typo fix. fixes: 24f35ee [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups [2] dependabot/dependabot-core#4605 [3] https://www.npmjs.com/package/@bugron/validate-dependabot-yaml Signed-off-by: Erik Skultety <eskultet@redhat.com>
s/exclude_patterns/exclude-patterns [1]. Since an official native validation solution doesn't exist yet [2] that would work reliably, @bugron/validate-dependabot-yaml was used to validate this typo fix. fixes: 24f35ee [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups [2] dependabot/dependabot-core#4605 [3] https://www.npmjs.com/package/@bugron/validate-dependabot-yaml Signed-off-by: Erik Skultety <eskultet@redhat.com>
s/exclude_patterns/exclude-patterns [1]. Since an official native validation solution doesn't exist yet [2] that would work reliably, @bugron/validate-dependabot-yaml was used to validate this typo fix. fixes: 24f35ee [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups [2] dependabot/dependabot-core#4605 [3] https://www.npmjs.com/package/@bugron/validate-dependabot-yaml Signed-off-by: Erik Skultety <eskultet@redhat.com>
and others
There used to be a dependabot config validator at
https://dependabot.com/docs/config-file/validator/, but it has gone missing. Is there a replacement?references:
https://stackoverflow.com/questions/63943201/how-do-i-test-dependabot-before-merging-config
https://gh.neting.ccmunity/t/how-to-validate-dependabot-config-file/218636
The text was updated successfully, but these errors were encountered: