Added Cake support

[Jacob-Morgan]

Add cake support for #733 which is based on PR #958, expands on the implementation. The FileFetcher loads additional scripts using the #load directive and supports some wildcard globing, which can include recursive directory searching. Where possible the NuGet Package manager code has been reused either by registration as the cake implementation or derivation and overriding.

Notes

• cake.config NuGet Package sources are treated as unauthenticated as credentials can't be provided, as they can be with the NuGet.config file. If credentials are required on GitHub these should be configured via the Dependabot UI using the Config Variables.
• Inlining of NuGet Package sources via the module, addin, load or tool directive are currently not supported - just needs a like more investigation.

Provides

• FileFetcher
• FileParser
• FileUpdater
• MetaFinder - defers to NuGet Package manager implementation
• Requirements - defers to NuGet Package manager implementation
• Version - defers to NuGet Package manager implementation

Special thanks to @gitfool for support and review

[Jacob-Morgan]

Dry-run executed against the curated list of cake contrib repos from Cake Contrib.

curl -sSO https://raw.githubusercontent.com/cake-contrib/Home/master/Audit_for_Cake_0.33.0.md
grep -oP '(?<=\(https://github.com/)[^/]+/[^/]+(?=/?\))' Audit_for_Cake_0.33.0.md | sed -e 's/.git$//' | sort | uniq > cake-repos.txt
for repo in $(cat cake-repos.txt); do
  echo -e "\n${repo}:\n"
  bin/dry-run.rb cake $repo
done

Results of dry-run

[Jacob-Morgan]

At pharos we use a custom implementation of the Dependabot-script configured against our internal GitLab server. Running the cake script support against a clone of our build script repository.

[jurre]

Hi @Jacob-Morgan, thanks for filing this PR!

Unfortunately, the Dependabot team are currently tied up with some time-sensitive initiatives and we're not able to give this PR the attention it needs at the moment. We're hoping to get back to this and other PRs sometime over the summer.

[Jericho]

I'm curious if this new cake support takes into consideration the version of Cake being used to compile and run a given cake script when making upgrade recommendations?

A cake script might use an older version of cake that may or may not be compatible with the Cake assemblies referenced by the addin and therefore upgrading the addin could break the cake script. The fact that a script and an addin don't use the same version of cake don't automatically make them incompatible but it might, so it's preferable to be careful. Let me emphasize that a script and an addin don't have to use the same version of Cake necessarily but under some scenarios it can definitely cause the script to break.

Let me use two examples to illustrate what I mean:

• Example 1: let's say that a given script uses Cake 0.31.0 and let's say that the addin references the Cake 0.37.0 assemblies. In this scenario, it would be preferable not to upgrade the addin because Cake introduced breaking changes in 0.33.0.
• Example 2: let's say that a given script uses Cake 0.34.0 and let's say that the most recent version of an addin references the cake 0.37.0 assemblies. In this scenario, the addin reference can be safely upgraded because Cake did not introduce any breaking changes between 0.34.0 and 0.37.0.

The rule of thumb is: don't upgrade addins that reference more recent Cake assemblies if Cake introduced breaking changes in a version between the version used by the script and the version referenced by the addin.

[feelepxyz]

👋 Thanks for opening this PR, back in May 😬, we really appreciate the effort to make Dependabot better for the community.

Unfortunately, we are not accepting new ecosystems into core at the moment. We are currently focused on making some improvements into how we handle extensibility before we add any more ecosystems. We will still be improving and upgrading support for existing ecosystems.

Please check the Contribution guidelines for more information.

[pascalberger]

For people looking for an interim solution for using Dependabot with Cake, there's a GitHub Action available, created by @nils-a, which makes use of the work done in this PR. See this blog post for details: https://cakebuild.net/blog/2020/10/dependabot-cake-action

[github-actions]

👋 This pull request has been marked as stale because it has been open for 2 years with no activity. You can: comment on the PR or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[gep13]

The reason that there is no activity is due to this comment from @jurre

Hi @Jacob-Morgan, thanks for filing this PR!

Unfortunately, the Dependabot team are currently tied up with some time-sensitive initiatives and we're not able to give this PR the attention it needs at the moment. We're hoping to get back to this and other PRs sometime over the summer.

If there is confirmation from the team that this isn't something that wants to be brought in, then I guess this PR can be closed (which would be unfortunate since systems like Renovate provide this ability).

[gep13]

@feelepxyz said...
Unfortunately, we are not accepting new ecosystems into core at the moment. We are currently focused on making some improvements into how we handle extensibility before we add any more ecosystems. We will still be improving and upgrading support for existing ecosystems.

Have these improvements happened?