Migration PR not align with original dependabot config variables #3762
Assignees
Labels
E: dependabot-preview
Issues specific to Dependabot Preview
F: preview-migration
Issue relates to migrating from Dependabot Preview
Comments
jasonycw
changed the title
You do not need to configure the public registry, it was a noop in preview and it is stripped out for the native version.
Have you configured the secrets as mentioned here? |
Yes, I have followed the PR and added the secret to the repo(some private repo not in organization) and organization level. But in the update log, there is nothing related to api.nuget.org is shown, only the github package feed |
|
Here are more update logs from the GitHub native dependabot showing package not being checked from public nuget feed Where And other repo which is not migrated to native dependabot yet, @dependabot-preview can still create PR correctly |
|
This maybe the same issue as #3724 If default public nuget feed should always be check at the first place, it's the same bug. |
brrygrdn
added
the
F: preview-migration
|
Hi @jurre and @brrygrdn, any update on this bug?
It's only a week left before dependabot preview shut down but the native dependabot still not pulling public nuget feed properly when there are 3rd party nuget feed. Are we going to be stuck with the bugged native dependabot or no dependabot after August 3rd? |
|
Sorry for the delay in replying @jasonycw - to elaborate on my comment in #3724, I believe the correct way to configure this is to add a Dependabot builds a list of repositories to look up packages in the RepositoryFinder class which inserts In Dependabot Preview this is not a problem as looking at your existing configuration, you have a config variable that provides this URI:
I believe this workflow existed historically so that using a mix of public and private sources had to be explicitly configured, which core 'opting out' of the public repo once any other source was provided. By explicitly indicating the official public source in your Let me know if this helps or if you have any further issues. |
|
What about if version: 2
registries:
nuget-feed-nuget-pkg-github-com-organizationname-index-json:
type: nuget-feed
url: https://nuget.pkg.github.com/organizationname/index.json
token: "${{secrets.NUGET_FEED_NUGET_PKG_GITHUB_COM_ORGANIZATIONNAME_INDEX_JSON_TOKEN}}"
public-nuget:
type: nuget-feed
url: https://api.nuget.org/v3/index.json
updates:
- package-ecosystem: nuget
directory: "/"
schedule:
interval: daily
time: "09:00"
timezone: Hongkong
open-pull-requests-limit: 99
reviewers:
- someone
- jasonycw
assignees:
- someone
registries:
- nuget-feed-nuget-pkg-github-com-organizationname-index-json
- public-nugetCurrently, native dependabot doesn't support this, it will say Since the purpose of the migration PR is to smooth the transition process, we were not expecting the migration will need to add a |
|
Thanks for the feedback @jasonycw, we're taking a look at this change internally to see what is practical. |
|
Hey I've had this dependable done for years I really don't know what I'm doing im teaching my selfbi did not mean to such ya up like that but it been running for years for me can u help me out on few pointer ideasOn Jul 28, 2021 11:45 AM, Barry Gordon ***@***.***> wrote:
Thanks for the feedback @jasonycw, we're taking a look at this change internally to see what is practical.
—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
👋🏻 @jasonycw I've deployed a change that permits you to add the public feed explicitly to the config file, e.g. version: 2
registries:
nuget-feed-nuget-pkg-github-com-organizationname-index-json:
type: nuget-feed
url: https://nuget.pkg.github.com/organizationname/index.json
token: "${{secrets.NUGET_FEED_NUGET_PKG_GITHUB_COM_ORGANIZATIONNAME_INDEX_JSON_TOKEN}}"
public:
type: nuget-feed
url: https://api.nuget.org/v3/index.json
updates:
- package-ecosystem: nuget
directory: "/"
schedule:
interval: daily
time: "09:00"
timezone: Hongkong
open-pull-requests-limit: 99
reviewers:
- someone
- jasonycw
assignees:
- someone
registries:
- nuget-feed-nuget-pkg-github-com-organizationname-index-json
- publicHopefully that helps resolve your issue. |
|
Thanks, just tested with a few of our repositories and dependabot can finally query from both feeds It will be great if the migration PR be updated as well, but even if it doesn't, I'll merge them and update all the Thanks again! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Basic info:
Package ecosystem
nuget
Language version
C#
Manifest location and content prior to update
n/a
Updated dependency
n/a
Native package manager behavior
n/a
In our dependabot setup, we have multiple nuget feeds setup so that we can update both the public nuget packages from https://api.nuget.org/v3/index.json and the private nuget packages hosted on github package.
However, I tried update a few of our repo to native dependabot with the migration PR and seems like the migration PR doesn't account for multiple nuget feeds. The result
.github/dependabot.ymlonly contain the the github package link which breaks the package update process.This migration PR is not ready for one click migration like #3591 (comment) said
Previous behavior in Dependabot Preview:
Update logs on app.dependabot.com
Current behavior in GitHub-native Dependabot:
Update logs in repo's
Dependency graph>DependabotThe text was updated successfully, but these errors were encountered: