Giters

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Gradle Dependabot Group pattern error

pexa-ashek opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

Gradle

Package manager version

8.2.1

Language version

Kotlin

Manifest location and content before the Dependabot update

build.gradle.kts (relevant section)

val postgresqlVersion: String by extra
val flywayCoreVersion: String by extra
val moshiVersion: String by extra
val logbackVersion: String by extra
apply(from = "versions.gradle.kts")
dependencies {
	implementation("org.springframework.boot:spring-boot-starter-actuator")
	implementation("org.springframework.boot:spring-boot-starter-logging")
	implementation("org.springframework.boot:spring-boot-starter-validation")
	implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
	implementation("org.postgresql:postgresql:$postgresqlVersion")
	implementation("org.flywaydb:flyway-core:$flywayCoreVersion")
	implementation("com.squareup.moshi:moshi:$moshiVersion")
	implementation("com.squareup.moshi:moshi-adapters:$moshiVersion")
	implementation("com.squareup.moshi:moshi-kotlin:$moshiVersion")
	implementation("ch.qos.logback:logback-classic:$logbackVersion")
	implementation("ch.qos.logback:logback-core:$logbackVersion")
	implementation("ch.qos.logback:logback-access:$logbackVersion")

versions.gradle.kts

mapOf(
    "moshiVersion" to "1.15.1",
    "flywayCoreVersion" to "9.22.2",
    "logbackVersion" to "1.4.14",
).forEach { (name, version) ->
    project.extra.set(name, version)
}

dependabot.yml content

updates:
  - package-ecosystem: "gradle"
    directory: "/"
    registries:
      - Artifactory
    schedule:
      interval: "daily"
      time: "08:30"
      timezone: "Australia/Melbourne"
    labels:
      - "kotlin"
    commit-message:
      prefix: "NOJIRA | Dependabot | "
    groups:
      spring-dependencies:
        patterns:
          - "org.springframework*"
        update-types:
          - "major"
          - "minor"
      db-dependencies:
        patterns:
          - "org.postgresql*"
          - "org.flywaydb*"
        update-types:
          - "major"
          - "minor"
      square-dependencies:
        patterns:
          - "com.squareup*"
        update-types:
          - "major"
          - "minor"
      logback-dependencies:
        patterns:
          - "ch.qos.logback*"
        update-types:
          - "major"
          - "minor"

What you expected to see, versus what you actually saw

I'm getting the below error when applying the gradle Dependabot configuration (see above) where I'm only interested in major and minor version updates to the specified dependencies in the defined group. Am I missing some attributes under groups or is the a problem with the pattern regex itself

Additional question
Is Dependabot able to scan the dependency version when the version config file (in my case versions.gradle.kts) has been externalised from the build.gradle.kts file

Error log

updater | 2024/05/29 22:51:47 INFO <job_834701292> Starting job processing
updater | 2024/05/29 22:51:47 WARN <job_834701292> Please check your configuration as there are groups where no dependencies match:
updater | - gradle
updater | 
updater | This can happen if:
updater | - the group's 'pattern' rules are misspelled
updater | - your configuration's 'allow' rules do not permit any of the dependencies that match the group
updater | - the dependencies that match the group rules have been removed from your project
updater | 
updater | 2024/05/29 22:51:47 INFO <job_834701292> Starting grouped update job for ***/**service
updater | 2024/05/29 22:51:47 INFO <job_834701292> Found 1 group(s).
updater | 2024/05/29 22:51:47 WARN <job_834701292> Skipping update group for 'gradle' as it does not match any allowed dependencies.