Notify when Dependabot jobs encounter an error

[sbrunner]

Is it possible to be notified when Dependabot has an error when he tries to do the update (e.g. "Dependabot can't resolve your Python dependency files"), Or having an API to be able to get them.

I need it because I survey many repositories...

Dependabot version 1 was opening an issue, this was enough for me :-)

[brrygrdn]

👋🏻 @sbrunner Thanks for opening an issue, this is definitely something we want to get to. I don't have an ETA right now that I can share but we definitely want to improve the visibility of job outcomes when a PR isn't created.

[cfryanr]

+1. @brrygrdn, this would be especially valuable for a Go project.

For one of the projects that I work on, the Dependabot scanning quietly stopped working because we accidentally inherited an indirect dependency on a library that had at some point in the past violated the Go rule that a released package should not change its checksum. This would have been fixable with a replace directive in our project's go.mod if we were aware of Dependabot's failures, but we had no idea that Dependabot had stopped working for a long time. If something had emailed us or otherwise notified us to say that Dependabot got an error during dependency scanning, then we could have benefited from knowing much earlier. Unfortunately, this resulted in a long period of time where everything was working in our project's code and tests so we assumed that Dependabot was scanning our dependencies, but actually it was not scanning at all.

[mwaddell]

Currently, the only way to see that the last dependabot run did not fail is to manually go to the /network/updates page for each repository individually and make sure that none of them show an error of any kind.

Would it be possible to have dependabot create a new Issue (instead of a PR) whenever a run fails?

This issue would link to the /network/updates page itself in the case of a parsing error, such as:

This issue would link to the /network/update/<ID> page in the case of a failure of a particular ecosystem, such as:

[mwaddell]

The issue of dependabot failing silently could also be resolved by reenabling the badges (see task #1912 and #1960), but using issues instead might be a simpler approach than creating a whole new set of endpoints to serve up badges...

[mwaddell]

Probably the simplest solution would be to add an "Email each time a dependabot run fails" to the notification settings since there already exists logic to send out an email at the end of any run that has a security vulnerability. I don't believe that code exists in dependabot-core, that's probably in github's code itself, so I'm not sure if this is the appropriate place to log the issue. Is there a better repo for this request?

[mwaddell]

Could also be addressed using a custom workflow by:

• Publish event when Dependabot jobs finish so users can trigger a GitHub Actions workflow #4680

[darokel]

@jeffwidman Just checking in to see if there has been any progress with this request?