Per-dependency reviewers and labels #11291
Unanswered
dipth
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi!
We run a large monolith Rails application in our company across 4 different teams.
With a Gemfile that contains close to 200 dependencies it has become quite cumbersome to manage dependency updates.
We've been looking into ways that would allow us to specify which dependencies belongs to what team and ensure that Dependabot adds reviewers from the correct teams for all update PRs that it creates.
However, it doesn't appear like there is any way to achieve this?
The closest we've gotten is splitting up our Gemfile into four separate files like this:
Gemfile:
dependencies/team_a/Gemfile (etc.):
Then adding a symbolic link in each of those team-folders for
Gemfile.lock
to point to theGemfile.lock
in the root of the project.Then adding separate configuration entries for Dependabot:
.github/dependabot.yml:
However when Dependabot runs and creates a PR it removes the symbolic link to
Gemfile.lock
and creates a newGemfile.lock
in the sub-directory instead of following the symbolic link and writing the changes in the rootGemfile.lock
Is there any way a setup like this could be configured to work or are there any other options that could be used to achieve a similar result, where some specific dependencies are assigned to specific people/teams?
Beta Was this translation helpful? Give feedback.
All reactions