Add separate setting for source branch #15567
Unanswered
Andre601
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Right now does Dependabot only offer a
updates[].target-branch
setting that according to the docs is using the specified branch as both the source and final target branch for a PR.This setup has its flaws, which can be most prominent when you have a repository with multiple modules that each have their own package management (i.e. a multi-module Maven project).
When dependabot now finds an update in a dependency, and this dependency is used across multiple modules, will it make separate PRs for each of those modules.
While this isn't as much of a problem, will it become one if the dependency bump is a breaking change and you have a CI set up that builds of the same target branch as configured in Dependabot.
Merging those PRs into the target branch can (and probably will) now create failed builds as one module has the bumped version, while the others don't.
I'll give a quick example with a list of events:
Example
4 modules using Maven.com.example:Example
which is on version1.2.3
main
branchmain
as target-branch for all modules.com.example:Example
has a new version2.0.0
(Changelog mention breaking changes)From this example alone, which is based on one of my own repositories, can you see that the CI would report 2 failed builds because of the PRs all targeting the main branch and the PRs being separate.
While I can see the option of having all bumps for a particular package ecosystem being in the same PR do I feel like keeping them separate is a good idea, especially if for some reason the bump of the dependency in one module isn't wanted (Can also be used for actions that trigger on labels or for particular pushes to certain modules).
Also, you could obviously just have a separate branch for dependency updates that gets merged back into the main branch regularly, but I feel like this is a bit more effort than needed, because you would also need to constantly sync it with main again.
Having a setting to define one branch to check and another one to PR changes towards would be a good idea, as it could also allow you to tweak a few things (i.e. update code that would no longer work with the new version) before merging it back into the main branch to build.
Beta Was this translation helpful? Give feedback.
All reactions