-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nuget: fix PR missing commits in message when using private registry #5002
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach makes sense to me! Thanks for the detailed explanation!
Agree that it's best to avoid downloading the .nupkg
.
@dependabot/reviewers This is ready for review now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍🏻 I like this approach,
Context
Dependabot PRs are missing the release notes and commits sections that we expect them to have when using a private NuGet registry like nuget.pkg.github.com.
This is because the GitHub NuGet registry doesn't support downloading
.nuspec
files currently, and this is the way we're finding the source repo of the project.The
.nuspec
URL is part of the NuGet Server spec.A solution
This PR adds a fallback to try to find the
projectUrl
orlicenseUrl
in the search data, which might contain the repo. The search URL is supported by GitHub Packages and the official NuGet server.This will require users to enter a repo URL in the
projectUrl
, instead of therepositoryUrl
field, sincerepositoryUrl
isn't exposed in the search endpoint. The only way to get to thatrepositoryUrl
seems to be in that.nuspec
file.Another possible solution is downloading the
.nupkg
and extracting the.nuspec
, but I think that could have an effect on billing and that is probably undesirable. Also there's a risk the.nupkg
is quite large since it contains binaries.We could also ask GitHub Packages to implement that endpoint, this PR is meant as a stopgap or fallback when the
nuspec
is not available.No tests yet: Wanted to get buy-in from the approach here.