Improvement Proposal: Configurable Pull Requests #2672
Comments
ChrisCates
changed the title
|
I would prefer to list not only individual packages, but to also have the ability to list entire organizations. Listing individual packages is fine in some cases, but there are also cases where an organization-wide grouping is easier to maintain than individual packages. For example, I have multiple dependencies of the |
|
@fkirc, would love to be able to do something like this. group:
- @symfony/*
- @laravel/*
...I agree with that! |
|
This might be useful as a real world example, we had similar issues using a custom variant of the Dependabot script with our self-hosted gitlab server, developers complained about the number of Merge Requests that where being generated. To fix this we extended the dependabot configuration with The result of including all packages into a single, so not only do the developers get bothered less with merge messages, the number of auto-merge fails due to conflicts requiring a rebase has been almost reduced to zero. |
|
I have a monorepo and even though it is not very large at the moment I expect the sheer volume of PR's will be difficult to handle as the repo grows. I'd love to be able to configure dependabot like this. Great idea!
That looks like a good idea for handling grouped dependencies, @ChrisCates why not update your proposal with these examples? |
|
@Jacob-Morgan, thanks for the reference to that fork! Very important. @h-no, agreed, going to add that! I still feel the structure of this IP needs to be sorted out. |
|
I am currently looking at the adoption of dependabot for the Kubeflow project, and as many others the amount of PRs that will be created for a given repository (and the resulting load on the AWS testing infra) are the man reasons for concern. The ability to group dependency updates together seems to be the most effective way to combat this issue, along with the problem that some dependencies need to be updated together to be functional. To me it seems the solution provided in #2672 (comment) is a good way forwards. What would be required to start getting this integrated into dependabot? |
|
This would also help us out in the https://github.com/dotnet/aspnetcore repo. |
|
Solving this is a more general way is a bit beyond dependabot's scope. However, you should be able to solve this with a custom github workflow. You would create an action that runs whenever a new PR is created by dependabot and it uses github-script to locate instances of PRs for related dependencies across your repo and then merges the changes from the new PR into the existing one and closes this new PR with a comment referring to the other PR. |
|
Sorry for commenting on an issue that hasn't had activity for a while, but I think having wildcards could also be useful. For example, Vue CLI dependencies are released together all at once (vuejs/vue-cli@ef08a08), so it's useful to have one PR for them all. Something like this, for example: group:
- @vue/cli*I realize this is already very similar to the concept of "grouping all" and "grouping organizations", but I think those concepts can be combined into a more generalized pattern-matching for grouping/ignoring. If you agree, maybe the proposal can be updated to specify that Also, some other things to consider:
|
|
Hello everyone! We at Legal and General have just open sourced Dependabot Batcher, a GitHub Action that we've been trialling internally for some time. When run on a schedule (or ad-hoc, if you prefer), it will combine all open Dependabot PR changes into one. The PR provides links to the original PRs, while closing them down. This can save a lot of CI time as well uncluttering your Pull Requests page. Here's what the generated PR looks like:
We hope that someone finds this useful as we do, and look forward to hearing any feedback you might have! |
|
Interesting @pauleustice, can you share a little about how this deals with conflicts? |
|
@jurre Sure. Here's what we have in the readme:
Of course, you can manually add any merge conflicts to the combined PR if you wish. In our team we just merge the batched PR and then they get picked up on the next run. |
jeffwidman
added
Workaround 🔁
|
Thanks @spenserblack I hadn't seen that. :grin Hopefully it's a helpful workaround until we get a chance to actually get this solved upstream here in Looking through the comments, this is pretty clearly a duplicate of a combination of: Also related: |
.
Summary
Dependabot provides several pull requests all for the same repository. These diffs in the repository are pretty trivial and generally involve changes only relating to package managers. Pull Requests needs to be configurable from a
dependabot.ymlfile.Implementation
Commit Structure
Currently, commits are structured for only a single version change.
Instead, add all changes to a single commit and have it structured something like this.
Configuration with
dependabot.ymlFor complete and full granular control of how @dependabot configures pull requests. A
dependabot.ymlfile seems most ideal.Example Configuration:
Example Configuration Group All:
Example Configuration Grouping Based on organization deps:
ignoreThe ignore key in the
.ymlfile ignores all the packagesgroupThe group key in the
.ymlfile groups all packages into the same pr.Both keys can be iterated multiple times in the
.ymlfile.Project Structure
If the project is running on a monorepo. You can have multiple
.ymlfiles in each respective folder. @dependabot will walk through each folder to find the.ymlfile.The text was updated successfully, but these errors were encountered: