Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up Dependabot #2195

Closed
vorburger opened this issue Sep 25, 2023 · 5 comments · Fixed by #2196 or #2234
Closed

Set up Dependabot #2195

vorburger opened this issue Sep 25, 2023 · 5 comments · Fixed by #2196 or #2234
Assignees
@vorburger
Labels
effort:small Small effort - 2 days security type:build Issues related to code build

Comments

@vorburger
Copy link
Member

vorburger commented Sep 25, 2023
edited
Loading

While looking at #2185 I noticed something else technically unrelate which IMHO would also be good to set-up:

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates

I'll have a go at seeing if I can enable this (it should either be not very hard, or if there is something particular I'm missing that's specific to Gradle for Android that's a big enough PITA that it's not worth pursuing it further).

The expected result would be to start seeing https://github.com/MariaDB4j/MariaDB4j/pulls?q=is%3Apr++label%3Adependencies+ on this repo. (And on https://github.com/google/android-fhir/security/dependabot as well as on https://github.com/google/android-fhir/network/updates) We can tune the frequency and such things, if required (I've done it before).

@fredhersch @jingtang10 @omarismail94 @williamito FYI (please do shout here if there is any particular reason why this project would not want to benefit from automated dependency upgrades).
@vorburger vorburger added security effort:small Small effort - 2 days type:build Issues related to code build labels Sep 25, 2023
@vorburger vorburger self-assigned this Sep 25, 2023
vorburger added a commit that referenced this issue Sep 25, 2023
@vorburger
Create dependabot.yaml (fixes #2195)
c35329e
@vorburger vorburger mentioned this issue Sep 25, 2023
Merged
@vorburger
Copy link
Member Author

PR #2196 alone might actually not suffice (but is probably still required); I suspect both that one to make a start but then also a solution for #2194 is required... let's just try and see!

@jingtang10
Copy link
Collaborator

have you seen this https://medium.com/@vladyslav.hontar/dependabot-in-action-d9b56b2be86c?

omarismail94 added a commit that referenced this issue Oct 6, 2023
@vorburger @omarismail94
Create dependabot.yaml (fixes #2195) (#2196)
a71109b 
Co-authored-by: Omar Ismail <44980219+omarismail94@users.noreply.github.com>
@vorburger
Copy link
Member Author

Re-opening, this is NOK, see e.g. https://github.com/google/android-fhir/runs/17467825398:

Dependabot couldn't parse the config file at .github/dependabot.yaml. The error raised was:

(<unknown>): did not find expected key while parsing a block mapping at line 3 column 1

@vorburger vorburger reopened this Oct 6, 2023
vorburger added a commit that referenced this issue Oct 6, 2023
@vorburger
Fix broken dependabot.yaml syntax (fixes #2195)
f622227
@vorburger vorburger mentioned this issue Oct 6, 2023
Merged
jingtang10 pushed a commit that referenced this issue Oct 9, 2023
@vorburger
Fix broken dependabot.yaml syntax (fixes #2195) (#2234)
e0b9c57
@vorburger
Copy link
Member Author

Re-opening, this is NOK, see e.g. https://github.com/google/android-fhir/runs/17467825398:

This doesn't happen anymore (after #2234).

But https://github.com/google/android-fhir/settings/security_analysis still says Dependabot version updates. Allow Dependabot to open pull requests automatically to keep your dependencies up-to-date when new versions are available. as if this wasn't configured yet.

have you seen this https://medium.com/@vladyslav.hontar/dependabot-in-action-d9b56b2be86c?

This looks like what we may have to do... I'll try this out some time.

@vorburger vorburger reopened this Oct 9, 2023
vorburger added a commit that referenced this issue Oct 9, 2023
@vorburger
Fix broken dependabot.yaml syntax again (re. #2195)
6a30f9a
@vorburger vorburger mentioned this issue Oct 9, 2023
Merged
@vorburger
Copy link
Member Author

Duh, e.g. https://github.com/google/android-fhir/runs/17521930462 (et al) now fails with:

Your .github/dependabot.yaml contained invalid details
Dependabot encountered the following error when parsing your .github/dependabot.yaml: The property '#/' contains additional properties ["open-pull-requests-limit"] outside of the schema when none are allowed.

At this point, I'm just going to remove that open-pull-requests-limit thing, for now; see #2242.

jingtang10 pushed a commit that referenced this issue Oct 10, 2023
@vorburger
Fix broken dependabot.yaml syntax again (re. #2195) (#2242)
a456c26
santosh-pingle pushed a commit to santosh-pingle/android-fhir that referenced this issue Oct 18, 2023
@vorburger
Fix broken dependabot.yaml syntax (fixes google#2195) (google#2234)
d474afa
santosh-pingle pushed a commit to santosh-pingle/android-fhir that referenced this issue Oct 18, 2023
@vorburger
Fix broken dependabot.yaml syntax again (re. google#2195) (google#2242)
b8e9d1e
This was referenced Oct 25, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vorburger vorburger

Labels
effort:small Small effort - 2 days security type:build Issues related to code build
Projects
Android FHIR SDK
Status: Complete
Milestone
No milestone
2 participants
@vorburger @jingtang10