Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default org-wide repo settings #2193

Closed
ocxo opened this issue Feb 4, 2019 · 12 comments
Closed

Default org-wide repo settings #2193

ocxo opened this issue Feb 4, 2019 · 12 comments
Labels
F: security-updates 🔐 Issues specific to security updates T: feature-request Requests for new features

Comments

@ocxo
Copy link

ocxo commented Feb 4, 2019

I'd like to be able to set a default "security only" setting for Dependabot. We turned it on for a lot repos this morning and it opened a flood of non-security PRs that we had to go back and close. Caused noise for our teams, put pressure on our build server, and as a side-effect caused us to exceed our GitHub API rate limit.
@greysteil
Copy link
Contributor

Thanks for the feedback @ocxo. You can change Dependabot to security only for a repo by clicking "advanced options" when adding the repo, or by clicking "only security updates" when editing an update config:

image

If you're using config files, you can achieve the same by copying the Example: only allow security updates section of the setup instructions.

Apologies for the bad first experience!

@ocxo
Copy link
Author

ocxo commented Feb 4, 2019

@greysteil can that be applied at the org level or is it at the repo level only? I understand the repo level config options but what I'm really looking for is a way to apply this to my GitHub org and all repos within it.

@greysteil
Copy link
Contributor

Ah, sorry, I didn't realise that's what you meant.

At the moment we don't have any settings that are configurable at both the account and repo level. I can totally see the use case, but introducing that would also add a little complexity for users, and require a proper UI (if you're using config files I presume this wouldn't really be an issue). Let me have a think. We have some account-level settings that we might move down to the repos anyway, so when we do it would make sense to make defaults configurable at the account level.

(I can also see how this will be lots of work. What happens when you change defaults, for example? Dependabot would need a way of tracking which repos have been separately configured somehow and which haven't. Could be confusing...)

@ocxo
Copy link
Author

ocxo commented Feb 4, 2019

I could see the sync issue being complex but in my mind a setting that enforces X default configuration for all newly added repos would be a really helpful middle ground.

@ocxo
Copy link
Author

ocxo commented Feb 4, 2019

In the meantime can this issue please be re-opened as it's currently not solved for?

@ocxo ocxo changed the title Default repo scan settings Default org-wide repo settings Feb 4, 2019
@greysteil greysteil reopened this Feb 4, 2019
@greysteil
Copy link
Contributor

greysteil commented Feb 4, 2019
edited
Loading

Sure thing!

@feelepxyz
Copy link
Contributor

Feedback from dependabot/feedback#383

Actually default_reviewers and default_labels stay on each package levels, I mean not globally (but for each dependency).

I think this could be a great addition to have the same features, but in a global scope, I mean having

version: 1
default_reviewers:
  - reviewer1
  - reviewer2
default_labels:
  - label1
  - label2
update_configs:
  - package_manager: "ruby:bundler"
    directory: "/"
    update_schedule: "live"

so as the PR create by @dependabot-bot is labeled and reviewer is picked by default (if no one is specified at dependency level).

@JeanMertz
Copy link

I've also been looking into this. We have over 300 repositories and want to apply some rules to auto-merge some of our most common non-production dependencies as long as the CI reports green.

We can do this by going through each repository by hand, but that's cumbersome, and requires us to do it again for any future changes we want to make, and any new repositories we add.

@stale
Copy link

stale bot commented Oct 23, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

@travi
Copy link

travi commented Oct 23, 2019

i'm still really hoping for a feature along these lines. ideally, i'd love to see this implemented as a config file that can be placed in the .github repo. i'd be happy to provide more thoughts if there is interest in moving this forward.

@infin8x infin8x transferred this issue from dependabot/feedback Jun 29, 2020
@infin8x infin8x added F: security-updates 🔐 Issues specific to security updates T: feature-request Requests for new features labels Jul 2, 2020
@ChrisBAshton ChrisBAshton mentioned this issue Jul 16, 2020
Merged
@deivid-rodriguez
Copy link
Contributor

Not sure about other ideas for allowing it to be configured through the .github org repo, but the original request in this PR is now available. See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories.

I'll close this given that the original request is implemented, and we can track more improvements as separate issues.

@dalepgrant
Copy link

Allowing it to be configured through the .github org repo is tracked in #3360, for anyone else like me looking for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
F: security-updates 🔐 Issues specific to security updates T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@feelepxyz @travi @JeanMertz @infin8x @ocxo @greysteil @deivid-rodriguez @dalepgrant