New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config file: Support Wildcards in directory #2178
Comments
Frustratingly, this is a bit more difficult on our backend than it sounds. The answer here is pretty similar to: We'd like to support this, and it's on our roadmap (together with grouping projects), but it's a way off. |
Would be nice to have it! Here is an example where it fails: |
I wrote a script that auto-generates Dependabot configs using globs 😅 Please feel free to use my awful hacks however you like until Dependabot/Github implement this feature properly. https://gist.github.com/alexf101/b65cbfe7c5a61df7d925589a71d200cf |
+1 from me. I have a dockerfiles repo with multiple directories representing different images being built. I was dismayed to find out that dependabot.yml only allows specifying one directory. Even if we are somehow able to do the following would be a start
|
I incorrectly assumed Dependabot can find the Cargo config files, however, the projects must be specified independently (see: dependabot/dependabot-core#2178). Without this, Dependabot fails with the following error: ``` Dependabot couldn't find a Cargo.toml Dependabot requires a Cargo.toml to evaluate your Rust dependencies. It had expected to find one at the path: /src/Cargo.toml. If this isn't a Rust project, you may wish to disable updates for it in the .github/dependabot.yml config file in this repo. ``` See: https://github.com/adeira/universe/network/updates/91435760
I incorrectly assumed Dependabot can find the Cargo config files, however, the projects must be specified independently (see: dependabot/dependabot-core#2178). Without this, Dependabot fails with the following error: ``` Dependabot couldn't find a Cargo.toml Dependabot requires a Cargo.toml to evaluate your Rust dependencies. It had expected to find one at the path: /src/Cargo.toml. If this isn't a Rust project, you may wish to disable updates for it in the .github/dependabot.yml config file in this repo. ``` See: https://github.com/adeira/universe/network/updates/91435760
Any update on where this is on the roadmap? |
For our teams, the Terraform support with Dependabot greatly increased the need for this feature. We have local modules storing common infrastructure for the environments, then a separate folder for each environment. Sometimes, because of weird dependencies, we have to have two folders for each environment. That's upwards of 10 folders for each project. It would be nicer to have one entry in the config file instead of 10. |
If someone would like a javascript hack as a workaround:
fb.sync([
`${repoRoot}/**/package.json`,
`${repoRoot}/**/go.mod`,
`${repoRoot}/**/pom.xml`,
`${repoRoot}/**/Dockerfile`,
// Stuff to ignore:
`!${repoRoot}/**/node_modules`,
`!${repoRoot}/**/vendor`])
.map(mapItToAStructureYouWantToSendToHandleBar) For monorepos, it is death trying to maintain the dependabot file by hand. |
Knew someone would say something like you. GitHub programmers are paid six figures, we are not paid to do their job, stop trying to excuse laziness (it's been 5 years literally wake up) |
(it is very easy but don't ever code for free for software that is maintained by paid coders unless your time is utterly valueless or you enjoy lazy others ignoring issues for years getting raises/promotions off your unpaid hard work which is just not smart, no other way to put it) |
Multi-dir configuration is now in public beta!; open to hearing your thoughts as you try out the beta!! Tagging @carlincherry |
@abdulapopoola @carlincherry Amazing, thanks! How does this work with Github Actions, since they have slightly different behaviour with regards to i.e. I'm hoping the following should now work: version: 2
updates:
- package-ecosystem: "github-actions"
directories:
- "./github/workflows"
- "./github/actions/composite-a"
- "./github/actions/composite-b"
- "./github/actions/composite-c"
schedule:
interval: "weekly"
|
Question, is the beta available to Enterprise Cloud repos? |
I was trying this out and it doesn't seem to work. Well, it did group all the different directories in the dependabot tab, but then when there was a dependency update it only updated the first |
I'm seeing similar problems to @lucacome :( Now rather than getting 4 PRs in one day I'm going to see 4 PRs over 4 days (for the same dependency change), which isn't an improvement on toil, and makes things worse for timely updates. What's supposed to happen here is all 4 PRs rolled into one. It makes me wonder if anybody actually tested the 'beta'? |
@mhemmings I would expect this to work with composite actions. Did you experience different behavior? You can try using multi-directory support and grouping rules; that should work to update composite actions. cc @abdulapopoola |
@blu3mania yes, this beta should be available to Enterprise Cloud repos! |
@lucacome thank you for raising this to the team; this is unexpected behavior and we've created a bug which our team will prioritize fixing soon. |
@cpswan do you have grouping enabled? cc @abdulapopoola |
@carlincherry since you appear to have the higher authority to prioritize bugs, can this one be added #9071 as it is quite stale and cost me endless hours of extra manual labor that should not be necessary (dependabot is supposed to automate, not create more work than just typing It should be quite easy to fix too, it's happens most often when package.json isn't root so the logic for detecting nested manifests should be revised to rely on "node_modules" as an ancestor dir instead |
@carlincherry thanks for the pointer. Adding a group seems to get the behaviour I was expecting. It might be worth being more explicit about that in the documentation. Essentially Here's my working YAML fragment: - package-ecosystem: "docker"
directories:
- "/some_dockerfiles/"
- "/another_place/with_dockerfiles/"
schedule:
interval: "daily"
groups:
docker:
patterns:
- "*" |
Wouldn't that mean, that you no longer get multiple PRs for different dependencies? |
@ffried you don't have to use a |
@cpswan The anti-pattern starts a bit earlier for me. Having to use |
Here's an example of my config: - package-ecosystem: "terraform"
directories:
- "/env/prod"
- "/env/test"
- "/env/dev"
schedule:
interval: "weekly"
# I have also tried adding the group as described in previous comments
groups:
terraform:
patterns:
- "*" However, I only get updates for the first listed directory ( Edit: of course, as soon as I post this, dependabot opens a PR with grouped changes (I had retriggered dependabot previously, but maybe it was waiting for something more specific to happen). I will agree with others that having to add the groups feels a bit odd and I'd expect that if there was an update to one dependency in all the listed directory, that would effectively become one "group" eg: |
There's a world where a user sets up multi-directory configuration but also wants the unique PRs vs. grouped PRs generated; that's part of why we opted for the explicitness of requiring a defined group independently of single directory or multiple-directories configuration. I think we could do a better job documenting the expected behavior though, and I have a PR out to our docs team to get this improvement incorporated into the Dependabot docs |
I've been following along and waiting for the official release and can attest that I will have the use case for separate PRs. |
I'm not sure I understand the use case of having multi-directory config but wanting separate PRs, but it seems counterintuitive. Wouldn't it make more sense to have different entries in the config to keep things separate then? To me this feature is more similar to how the updates for GitHub Actions work now, it doesn't matter how many files I have, the same dependency gets updated in one PR across all the files. I wouldn't want all the updates in the directory list to be grouped together using |
@lucacome That's interesting. I would definitely prefer updating one dependency at a time for solo projects or projects where the team is small. But if I'm working on a repo where multiple teams have ownership over different parts of the code (this is often the case in microservice repos) I absolutely don't want to touch others' code, since then I'll have to get approval from everyone before it can get merged. I'd say there are usecases for both. 1 is more common, but 2 is more important to get right. |
We're getting close to wildcard functionality! We have a question about behavior you'd like or expect to see when you have overlapping directories. Give us your thoughts in this straw poll! #9823 Given an existing configuration file like 👇 version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "monthly"
reviewers: ["@person1"] And a user adds the following entry 👇 - package-ecosystem: "npm"
directories:
- "**/*"
schedule:
interval: "daily"
reviewers: ["@person2"] What would you expect or want to happen? Answer in the poll! #9823 |
@carlincherry Do you have a link to the docs as the only thing I can find about the Also, the example in the blog post is: version: 2
updates:
- package-ecosystem: "bundler"
directories:
- "/frontend"
- "/backend"
- "/admin"
schedule:
interval: "weekly" But that results in the behaviour I mentioned above, where dependabot only opens PRs for the first directory and does not try to update the other directories at all. I don't entirely understand why a Just as @lucacome pointed out, I'd really expect this to work like the For me, the benefit is that we can reduce the number of PRs dependabot makes when the same dependency needs updating in different directories and thus far less likely to hit the open PR limit. If we have to use groups, then we have to create a definition for each individual dependency in config, which isn't a particularly scalable or maintainable solution as it could mean creating hundreds of groups to get that behaviour (and it would need updating every time a new dependency was added). This seems counter to the stated objective in the blog post:
|
Our repo doesn't have a
pom.xml
file at/
but it does in multiple subdirectories (so/*/
). Dependabot didn't recognize the wildcard in the directory name when I put that in the config file. Is it possible to get wildcards recognized in the directory value of the config file?The text was updated successfully, but these errors were encountered: