-
Notifications
You must be signed in to change notification settings - Fork 41
Badges! #6
Comments
Beyond badges, it would be good to link to a page showing which dependencies are out of date. This could replace https://david-dm.org |
Yes, please, badges and dashboard for reports on dependencies |
You can get a kind of dashboard by using advanced Github issue earch, for example, in my case : The closed PR i had from dependabot on all my repos :
|
I've been holding off on this one until GitHub released their API for the dependency graph, as I think that's the way to do it. That should be just around the corner, and will let me build a really lightweight badge that needs almost no permissions. Stay with me! |
Sure we do ! 😸 |
i need this for my python projects :'( |
Hey @greysteil , this is even around 1000 times much better than expected dude !!! |
I'm the creator and maintainer of js-gardener. Currently in the process of switching from greenkeeper to dependabot. It would be super nice to have even just a simple "enabled" badge. Outdated dependency check would be awesome as well obviously as it would replace david-dm. Looking forward to your upcoming work here! |
Per the commands,
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme
… On Jul 25, 2018, at 9:31 PM, simlu ***@***.***> wrote:
I'm the creator and maintainer of js-gardener. Currently in the process of switching from greenkeeper to dependabot. It would be super nice to have even just a simple "enabled" badge. Outdated dependency check would be awesome as well obviously as it would replace david-dm. Looking forward to your upcoming work here!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@davidkassa I'm not sure I understand. Can you clarify? |
Where should we pass the
to get the job done ? |
If you comment that on any Dependabot PR then it will give you the code to add an "enabled" badge to your README 🙂. (Sorry, should have commented that here a while ago - was waiting until I'd got a badge for outdated dependencies, too, but then got pulled onto something else!) |
@greysteil You might want to submit a PR to Badgen too which is a newer, faster version of shields https://github.com/amio/badgen-service |
Will do - no harm in being covered there, and if it's quicker it might be worth me switching. Thanks for the heads up. |
@greysteil That's pretty useless for me. I'm injecting an inactive badge into the readme to indicate that the corresponding service is not yet enabled. Since the badge name can not be predetermined, I can't do that. Any chance we could change the id to e.g. the repo name? |
I opted against repo name as the identifier as it would create a minor security issue (you could use it to find the names of private repos an organisation that was using Dependabot owned). Instead the identifier in there is the GitHub repo ID, which you can get from the https://api.github.com/repos/your/repo. Apologies it’s a faff for non-enabled repos - I couldn’t think of anything more convenient that was still secure. |
I think the main problem I have with this is that: I agree with your reasoning, however the industry standard seems to be to use an api key for private repos (travis and circle both do this). This is way more convenient since it solves (1) and makes (2) possible for public repos. Looking forward to you thoughts on this! Thank you very much for all your work! |
Hmmm, I don't have an obvious answer for this. Adding API keys to Dependabot would be quite a lot of work - I appreciate CircleCI and Travis do it, but they're both teams of 50+ people and I'm one guy! Unless there are other compelling reasons for Dependabot to have them I'm not sure it's worth it for just this case. Can you think of any other way we could get around the security issue here? One way, for public repos, would be to allow the repo name to be passed as the identifier for public repos only. That would at least solve (2), but could be confusing without some accompanying work for "unknown" badges (a helpful show page explaining, perhaps. |
I think a good solution would be This would allow you to later replace the repo id with a proper api key as well as solve my two issues I mentioned above. E.g. circle is doing it as You could do that the exact same way except use the repo id instead of a generated custom token. |
Cool, I've made the following updates:
Implementing the above was surprisingly hard. In particular, knowing when to serve the 400 and be confident that Dependabot wasn't leaking the name of a private repository is fiddly. It's done and the same logic will be re-usable for outdated dependencies badge later, so I'll try not to beat myself up over the 4 hours it took! 😅 |
Great addition. Will worth the four hours, if you ask me.
… On Jul 28, 2018, at 9:24 AM, Grey Baker ***@***.***> wrote:
Cool, I've made the following updates:
You can now pass a repo name (in repo=account/name format) instead of an identifier for public projects
For private projects you need to pass an identifier (as currently), and can optionally also pass the repo name
For private projects, if the two conflict then you'll get a 400 instead of a badge (I'll change that to an unauthorized badge soon)
Implementing the above was surprisingly hard. In particular, knowing when to serve the 400 and be confident that Dependabot wasn't leaking the name of a private repository is fiddly. It's done and the same logic will be re-usable for outdated dependencies badge later, so I'll try not to beat myself up over the 4 hours it took 😉
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@styfle - FYI, I switched to Badgen and am super happy with it. Thanks for the recommendation! |
Sweet! Thank you very much! Totally worth it in my opinion! :) Just added an update to js-gardener to inject the dependabot status badge. Everything seems to work great! Regarding Dependency badge: I really like what david-dm is doing by having a status page. It would be great to have a link for that badge to a custom page instead of just linking to the root of dependebot.com like the status badge does. Initially it could be a very simple page (maybe just display the badge again?), but that would allow you to build on that. I would love to eventually be able to replace david-dm with dependabot. Thoughts? |
Glad you like it! And yeah, I wouldn't dream of creating a dependencies badge that isn't backed by a status page - getting that status page built is the blocker, but I'll get the one it! |
can we somehow test drive the new badges? |
Yes! @feelepxyz is doing the status page work over the next week or so - we'll let you know when it's done. |
Hey @greysteil Is the status page done? |
Not yet - we crunched on config files in the end. Show pages for update configs (with all their dependency details) likely to be the next thing we work on, though 🙂 |
What's the status of this issue? |
Still the same as the above, I'm afraid. |
This is now working. Just comment on a dependabot PR with |
We're going to have a really big update on the show view for update configs soon (likely in May), but I don't want to spill the beans on it yet. 🙂 |
@yss14 Can you clarify what is exactly working? Are dependency status pages available now? |
@simlu Sorry, I must have overseen a comment above where this was already mentioned. I was relating to the plain badge. |
@greysteil I'm counting the days :) |
Is it possible specify the style of the badge, like https://badgen.net or https://shields.io. I tried |
OK, so the update here is that Dependabot has been acquired by GitHub! As a result, we're going to be working with the dependency graph team to integrate a view of how up-to-date you are there, add details of any dependencies you're ignoring, etc. It's a big project! But given that full integration with GitHub is the way that we're going I'm going to close this. @AndrewLeedham that's not configurable at the moment, but behind the scenes we're using badgen to generate Dependabot's compatibility score badges, so it wouldn't be too tricky for me to change for |
Congrats @greysteil !!! 👏 👏 👏 Your product trully rocks, it was just a matter of time 🙏 |
Thanks @greysteil. The flat square style, perhaps passing subdomain forward would work with badgen? |
Congrats!!! |
@greysteil Any updates on this? |
None, and I have too many things on my plate to promise anything. 😞 There is some good news, though - Dependabot returns JSON from its badge endpoints if requested, so it should be possible to add the code directly to badgen... |
Oooh that is good news. Can you point me in the right direction of that endpoint, is it documented anywhere? |
Sure can - it's exactly the same API as the badges themselves come from, just with the accept header set to So would be https://api.dependabot.com/badges/status?host=github&repo=yss14/musicshare. For private repos you have to add |
@greysteil Thanks for this, I'll work on implementing it into badgen. What are the possible values for |
Just “github”, and now that they own Dependabot that’s unlikely to change! |
🚀 I implemented the dependabot badge in badgen and it has been merged badgen/badgen.net#288 use https://flat.badgen.net/dependabot/user/repo?icon=dependabot 😃 |
Nice one @AndrewLeedham! Thanks 😄 |
Badges provide a great way to see whether a projects dependencies are up-to-date at a glance. With Gemnasium no longer operating, it would be particularly nice to provide them.
The text was updated successfully, but these errors were encountered: