dependabot.yml

Question

dependabot.yml

danielbayley opened this issue 4 years ago · comments

Why the requirement of a .dependabot/ subfolder? Why not also have the option of [.]dependabot.y[a]ml at the project root?

Philip Harrison · Answer 1 · Wed Apr 01 2020 22:01:13 GMT+0800 (China Standard Time)

@danielbayley 👋 we're working on a GitHub integrated version and moving the config file to: .github/dependabot.yml

Daniel Bayley · Answer 2 · Wed Apr 01 2020 22:04:52 GMT+0800 (China Standard Time)

@feelepxyz So does that file work as of now? Also, it still forces a .github/ subfolder…

Philip Harrison · Answer 3 · Wed Apr 01 2020 22:07:44 GMT+0800 (China Standard Time)

@feelepxyz So does that file work as of now? Also, it still forces a .github/ subfolder…

Not released yet. Yeah, still a subfolder but already used for a bunch of GitHub specific config, e.g. Actions, so makes sense to keep it all there.

AraHaan · Answer 4 · Fri Apr 10 2020 03:32:34 GMT+0800 (China Standard Time)

tbh I would just store it where github normally stores the actions, but for projects like mine using the preview it would be nice for dependabot to pull request and merge it in ignoring any CI in this case.
(That is for the repositories that currently use dependabot-preview)

AraHaan · Answer 5 · Thu May 07 2020 18:23:58 GMT+0800 (China Standard Time)

btw any Docs yet on the dependabot.yml?

Does it also allow bundling of all updates to single pr too as well as defining an update chain to check for like what I suggested in #930?

Philip Harrison · Answer 6 · Wed Jun 03 2020 20:40:08 GMT+0800 (China Standard Time)

@AraHaan 🙌 https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

Philip Harrison · Answer 7 · Wed Jun 03 2020 20:41:15 GMT+0800 (China Standard Time)

Does it also allow bundling of all updates to single pr too as well as defining an update chain to check for like what I suggested in #930?

Don't yet support bundling, it's on a roadmap but will be few months before until we've completed rolling out the new version.

AraHaan · Answer 8 · Thu Jun 04 2020 03:50:46 GMT+0800 (China Standard Time)

Oh ok cool, Btw is it possible to also make it where we cal tell dependabot a certain order of repositories where after it checks and merges all of 1, then after a while check higher up in a repository chain (in case updating the base repository triggers a new package deployment) that way everything is truely up-to-date?

Philip Harrison · Answer 9 · Thu Jun 04 2020 16:30:55 GMT+0800 (China Standard Time)

Oh ok cool, Btw is it possible to also make it where we cal tell dependabot a certain order of repositories where after it checks and merges all of 1, then after a while check higher up in a repository chain (in case updating the base repository triggers a new package deployment) that way everything is truely up-to-date?

Ah not yet, we're considering bringing back support for live schedules which might be what you're after?

AraHaan · Answer 10 · Thu Jun 04 2020 17:17:21 GMT+0800 (China Standard Time)

ah that might be it.

Philip Harrison · Answer 11 · Fri Jun 05 2020 17:33:12 GMT+0800 (China Standard Time)

Going to close this out as we've now moved the config to .github/dependabot.yml and published docs here: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

AraHaan · Answer 12 · Fri Jun 05 2020 19:37:50 GMT+0800 (China Standard Time)

Ah now I know why it seems why it checks for updates once a day, because it does. Perhaps in the future there would be an valid option for those developers who wants to have it updated more frequently than that (like the .net core framework / runtime projects for example).