Read from dependabot.yml file

[craigta]

hi, I'm not sure where to ask the question so I'm posing here. Happy to engage wherever necessary for help

My setup is:
I have my code in Azure Devops
I'm using the docker image provided via dependabot-script
I'm running this locally for now and will integrate the docker image run into our Azure Devops setup next

My goal:
I want to run dependabot to update our nugets at the patch level, I don't want it to make updates to major/minor. I also wanted to 'slow drip' the updates -- IE: Only send in 1 or 2 to start with and I would run the script on a schedule to do this, say weekly or so to start with, and to allow individual depot to tweak this per their liking

To do this, I wanted to run dependabot and have it ignore major and minor updates and set a pull request limit. I found the dependabot.yml configuration details, but I'm having trouble with getting the dependabot-script to read from the yaml to make use of my config, which I want to be checked in per devops endpoint

I want to run the dependabot-script against other depots, with each depot defining their own configuration of things to upgrade and check

I created a folder .github and placed a dependabot.yml with these contains there:
version: 2
updates:

• package-ecosystem: "nuget"
  schedule:
  interval: "daily"
  open-pull-requests-limit: 1
  ignore:
  • dependency-name: "*"
    update-types: ["version-update:semver-major", "version-update:semver-minor"]

Any ideas on how to get this file read, if I need to place somewhere else, or if there is another way to provide this level of config?

[rimas-kudelis]

@craigta that documentation is for Github-native Dependabot. I don't think dependabot-native will read that file for you, just like it won't read the pre-github .dependabot/config.yml.

With dependabot-script, pretty much everything is configured via environment, and it seems like the configuration options are, sadly, rather limited.

However, since the Docker image simply runs generic-update-script.rb, you could extend that script to support additional options. Heck, even I could probably do that (with my zero knowledge of Ruby), since they don't require tests in this repo. 😀 The relevant class in this case seems to bet Dependabot::UpdateCheckers which is used here:

dependabot-script/generic-update-script.rb

Lines 173 to 177 in 4330ff7

	checker = Dependabot::UpdateCheckers.for_package_manager(package_manager).new(
	dependency: dep,
	dependency_files: files,
	credentials: credentials,
	)

The class itself is here and it seems to accept way more arguments than used in the generic-update-script.rb script.

[craigta]

@rimas-kudelis update checker only takes ignore_versions, not the full set of IgnoreConditions that would allow what I'm looking for. So I can pass in an array of versions like:
ignore_versions = [
">= 0, <= 15"
]

But that doesn't give me the ability to skip major/minor versions as far as I can tell. Open to ideas, but doesn't seem to support by default. I see there is some UpdateConfig that does something with the IgnoreCondition object, but still trying trying to figure out how that works (new to Ruby at the moment, but learning!)