-
Notifications
You must be signed in to change notification settings - Fork 920
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Notify when Dependabot jobs encounter an error #3509
Comments
👋🏻 @sbrunner Thanks for opening an issue, this is definitely something we want to get to. I don't have an ETA right now that I can share but we definitely want to improve the visibility of job outcomes when a PR isn't created. |
+1. @brrygrdn, this would be especially valuable for a Go project. For one of the projects that I work on, the Dependabot scanning quietly stopped working because we accidentally inherited an indirect dependency on a library that had at some point in the past violated the Go rule that a released package should not change its checksum. This would have been fixable with a replace directive in our project's go.mod if we were aware of Dependabot's failures, but we had no idea that Dependabot had stopped working for a long time. If something had emailed us or otherwise notified us to say that Dependabot got an error during dependency scanning, then we could have benefited from knowing much earlier. Unfortunately, this resulted in a long period of time where everything was working in our project's code and tests so we assumed that Dependabot was scanning our dependencies, but actually it was not scanning at all. |
Currently, the only way to see that the last dependabot run did not fail is to manually go to the Would it be possible to have dependabot create a new Issue (instead of a PR) whenever a run fails? This issue would link to the This issue would link to the |
Probably the simplest solution would be to add an "Email each time a dependabot run fails" to the notification settings since there already exists logic to send out an email at the end of any run that has a security vulnerability. I don't believe that code exists in dependabot-core, that's probably in github's code itself, so I'm not sure if this is the appropriate place to log the issue. Is there a better repo for this request? |
Could also be addressed using a custom workflow by: |
@jeffwidman Just checking in to see if there has been any progress with this request? |
Is it possible to be notified when Dependabot has an error when he tries to do the update (e.g. "Dependabot can't resolve your Python dependency files"), Or having an API to be able to get them.
I need it because I survey many repositories...
Dependabot version 1 was opening an issue, this was enough for me :-)
The text was updated successfully, but these errors were encountered: