Dependabot doesn't observe config

Question

Dependabot doesn't observe config

echarrod opened this issue 4 years ago · comments

Dependabot has been respecting the config file previously, but this PR was created which didn't use any of the settings we defined:
getyoti/yoti-python-sdk#196

Philip Harrison · Answer 1 · Mon Jun 08 2020 21:12:32 GMT+0800 (China Standard Time)

@echarrod we've just released a new version of dependabot that aims to improve this situation. Currently we're running two apps, one called Dependabot Preview which you manage using .dependabot/config.yml and another one that's just called dependabot which by default will only create security-only updates. You can configure this new app to also update all of your dependencies on a schedule using a config file.

You can move to this new config format by clicking Update config file in the Dependabot dashboard. This will create a PR that deletes the existing config file and adds a new one to .github/dependabot.yml. This new config file will also configure the security updates if the package-ecosystem and directory match. In your case you might need to add a new config file entry that looks something like:

- package-ecosystem: pip
   directory: "examples/yoti_example_django"
   schedule:
     interval: daily

You can find docs for the new config file format here: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

The new version doesn't currently support live schedules so this will be changed to daily. Please let me know if live schedule is important to you as we're considering feedback to build it into the new version.

Ed Harrod · Answer 2 · Wed Jun 10 2020 16:38:33 GMT+0800 (China Standard Time)

Hi @feelepxyz, thanks for the response.
When I follow the link it shows this:

And when I proceed it shows me this:

When I click "configure" for the org, it just takes me to the "installed github apps" settings page on my org. I don't seem to be able to access the dependabot dashboard like I could before.
Is this behaviour intended?

Philip Harrison · Answer 3 · Thu Jun 11 2020 01:39:27 GMT+0800 (China Standard Time)

@echarrod hm not sure what's going on but you could try going to the "installed github apps" page and uninstalling the dependabot preview app and then trying to visit the dashboard again to re-install. The dashboard should reset if you already had config set up.

Ed Harrod · Answer 4 · Tue Jun 16 2020 18:34:17 GMT+0800 (China Standard Time)

Managed to access it by uninstalling and reinstalling. "Daily" update is fine for us by the way, we don't need "live", thanks.

Just updating the config now.

I see it's added the package exceptions to the config now, that we've previously added with "@dependabot ignore". Will they be added automatically to the config when we use "dependabot ignore", and automatically get removed when dependabot creates a new PR pertaining to that package?

Philip Harrison · Answer 5 · Tue Jun 16 2020 21:51:24 GMT+0800 (China Standard Time)

👍

I see it's added the package exceptions to the config now, that we've previously added with "@dependabot ignore". Will they be added automatically to the config when we use "dependabot ignore", and automatically get removed when dependabot creates a new PR pertaining to that package?

Not yet, we're looking at making this experience better. You can revert to the existing behaviour using @dependabot ignore if you delete the ingore section from your config file. The downside is that you'll need to re-ignore things using the command from PRs until you're back at the same ignores.

Ed Harrod · Answer 6 · Wed Jun 17 2020 00:54:07 GMT+0800 (China Standard Time)

Ok thanks, think we'll keep it out of our config as it's so dynamic, then and re-add with @dependabot ignore. Thanks! Happy if you want to close this now