Leverage dependabot to update dependencies #182
Comments
|
Can dependabot leverage private feeds (or feeds that require authentication)? I have recently discussed this with @danegsta about this specifically for the automatic updates of the dcp binaries, as well as the templates which will need to be re-packaged and shipped via the Aspire SDK Workload. Our discussion was that it should be doable to just use Arcade's dependency flow, since @danegsta found that it seems to be straight forward to use dependency flow even when you are not using Arcade to build. |
|
Also, just dropping a note, this should eventually also cover adding dependency flow for dcp binaries and project templates. |
|
Here is a full list of all of the packages that the repo depends on today which are not being automatically updated: |
Looks like it can: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot |
|
This should also include any updates to templates. For example, the templates now have a dependency on the R9 package Microsoft.Extensions.Http.Resilience, we should make sure this version is also updated each time there is a new version. |
|
Dependabot is already enabled in repo settings for public dependencies. |
|
I apparently don't have powers to make an access token for https://dev.azure.com/dnceng/internal feed. So waiting until Tues when we won't have a private feed anyway. I was able to verify that dependabot can update a central package version file (ie
What I tried: main...danmoseley:aspire:dependabot (temporarily removed private feed to avoid error) and I was impressed that not only did it understand central package management but even updated the original property value: https://github.com/danmoseley/aspire/pull/2/files |
|
I'm assuming DCP will use Arcade, otherwise dependabot will need a token to access their feed even after preview 1. |
|
DCP is already using Arcade's dependency flow (not actual arcade for building, just the codeflow piece), and Aspire is already subscribed to automatically bumping the versions to latest using codeflow: aspire/eng/Version.Details.xml Lines 4 to 31 in 05c40df |
Astra already depends on large set of packages (internal and external) and none of them are auto-updated: https://github.com/dotnet/astra/blob/main/eng/Versions.props.
Dependabot would be suitable to update the dependencies. Some of our partner repositories already do that: https://github.com/dotnet/msbuild/blob/main/eng/dependabot/dependabot.csproj
As none of the Astra dependencies are managed by Darc/Maestro, moving the versions from Versions.props into Directory.Packages.props could be sufficient.
cc @mitchdenny
The text was updated successfully, but these errors were encountered: