Add support for multiple update_schedules / update_type combos for a single ecosystem / directory #1778
Comments
feelepxyz
added
F: noise
|
This is equally valid in a v2 config world, and is something we're considering for the future. |
|
Would love to have this feature. Hoping to have minor update merging automagicaly if passes the tests and send PR to lead devs for major updates. version: 2
updates:
# Minor updates to npm production dependencies daily
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "06:45"
timezone: "Europe/Helsinki"
versioning-strategy: lockfile-only
labels:
- "npm minor dependencies"
allow:
- dependency-type: "production"
# Major updates to npm dependencies weekly @tuesday
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "tuesday"
time: "07:00"
timezone: "Europe/Helsinki"
versioning-strategy: increase-if-necessary
labels:
- "npm major dependencies"
reviewers:
- "foobar/js-lead" |
This is exactly our use case. I would appreciate it very much. |
|
The use case for my team is updating production dependencies weekly and dev dependencies monthly. |
|
I'm also after this functionality. I'd like to allow the default of 5 PR's for external dependencies, but unlimited PR's for dependencies from my organisation. |
|
Are there any possible workarounds for this? I have the exact same use case as @jamime
|
|
I'd like to enable security updates for all packages, but version updates for only a handful. |
|
We just tried hacking around this with: directory: "./" # instead of directory: "/"This bypassed dependabot's validation, so we'll see what happens next... UPDATE: Doesn't work. |
|
Would like to do something similar for daily checks for dependencies with security vulnerabilities: |
This reverts commit 5a6fb94. Currently, it is not possible to have "duplicated updates" (i.e.: multiple updates with the same <package-ecosystem, directory, target-branch> tuple) in dependabot configuration: dependabot/dependabot-core#1778. In order to avoid the following error while parsing dependabot config: The property '#/updates/1' is a duplicate. Update configs must have a unique combination of 'package-ecosystem', 'directory', and 'target-branch' the commit is reverted. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
This reverts commit 5a6fb94. Currently, it is not possible to have "duplicated updates" (i.e.: multiple updates with the same <package-ecosystem, directory, target-branch> tuple) in dependabot configuration: dependabot/dependabot-core#1778. In order to avoid the following error while parsing dependabot config: The property '#/updates/1' is a duplicate. Update configs must have a unique combination of 'package-ecosystem', 'directory', and 'target-branch' the commit is reverted. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
This reverts commit 5a6fb94. Currently, it is not possible to have "duplicated updates" (i.e.: multiple updates with the same <package-ecosystem, directory, target-branch> tuple) in dependabot configuration: dependabot/dependabot-core#1778. In order to avoid the following error while parsing dependabot config: The property '#/updates/1' is a duplicate. Update configs must have a unique combination of 'package-ecosystem', 'directory', and 'target-branch' the commit is reverted. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
jeffwidman
changed the title
|
Is this ... possible yet? To configure more than one schedule for the same ecosystem. Pinging active contributors: This seems like quite a prevalent question, and the issue is still open. Apologies if I've overlooked an obvious answer. As far as I can tell the documentation on scheduling doesn't cover any advice to the natural scenario of wanting 2 separate schedules. Any feedback will be appreciated |
abdulapopoola
added
the
F: grouped-updates 🎳
|
We just hacked our way around this by actively setting |
|
@alecgibson's workaround seems to work for me. See my |
Previous attempt to group enhancement dependency updates separately from build/test dependency bumps failed as Dependabot requires a unique combination of 'package-ecosystem', 'directory', and 'target-branch'. Perhaps this ability will be implemented in the future via dependabot/dependabot-core#1778.
Previous attempt to group enhancement dependency updates separately from build/test dependency bumps failed as Dependabot requires a unique combination of 'package-ecosystem', 'directory', and 'target-branch'. Perhaps this ability will be implemented in the future via dependabot/dependabot-core#1778.
…iguration
The previous version of the configuration failed with the following
error:
Update configs must have a unique combination of
'package-ecosystem', 'directory', and 'target-branch'
To avoid that, apply the workaround that has been suggested here:
dependabot/dependabot-core#1778 (comment)
Same but with Rust/Cargo! (Also, with different grouping, not just schedules.) |
use target-branch hack see dependabot/dependabot-core#1778 (comment)
use target-branch hack see dependabot/dependabot-core#1778 (comment)
use target-branch hack see dependabot/dependabot-core#1778 (comment)
use target-branch hack see dependabot/dependabot-core#1778 (comment)
It appears to also be possible to use Edit: Doesn't work. |
|
given that hacking the config to fool dependabot into thinking two schedules for the same package manager are unique works perfectly it should be relatively easy to enable first-class support for this, no? |
|
if anyone's looking for further examples, i use the following config to make minor and major updates as soon as they're available, and group patch releases on a monthly basis (cargo)- version: 2
updates:
# bump major and minor updates as soon as available
- package-ecosystem: cargo
target-branch: main # see https://github.com/dependabot/dependabot-core/issues/1778#issuecomment-1988140219
directory: /
schedule:
interval: daily
commit-message:
prefix: chore
include: scope
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-patch"
# bundle patch updates together on a monthly basis
- package-ecosystem: cargo
directory: /
schedule:
interval: monthly
commit-message:
prefix: chore
include: scope
groups:
patch-updates:
update-types:
- patch
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-minor"
- "version-update:semver-major"
# update github actions as soon as available
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
ignore:
- dependency-name: dtolnay/rust-toolchain
commit-message:
prefix: "ci"
include: "scope" |
Currently `dependabot` does not allow different configurations for the same directories. This workaround [1] provides a way to bypass this restriction. [1] dependabot/dependabot-core#1778 (comment) Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
and others
Hey, I'd love to be able to trigger and receive PRs for security updates on a live schedule.
and my regular scheduled all updates weekly.
The following is a mock for my config.yml -- obviously fails the validator as a dupe atm :)
The text was updated successfully, but these errors were encountered: