feat: dependabot support

Node projects will now include dependabot configuration. Notice that due to the fact that projen controls "package.json" we configure dependabot to only raise pull requests for lock files changes.

.github/dependabot.yml

@@ -0,0 +1,9 @@
+# Generated by projen. To modify, edit .projenrc.js and run "npx projen".
+
+version: 2
+updates:
+  - package-ecosystem: npm
+    versioning-strategy: lockfile-only
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Anti-tamper check
         run: git diff --exit-code
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v2.1.1
         with:
           name: dist
           path: dist

.gitignore

@@ -55,6 +55,8 @@ tsconfig.json
 !/.github/workflows/build.yml
 !# synthesized by projen, (do not modify by hand)
 !/.github/workflows/release.yml
+!# synthesized by projen, (do not modify by hand)
+!/.github/dependabot.yml
 !/src
 !# synthesized by projen, (do not modify by hand)
 !/.eslintrc.json

src/dependabot.ts

@@ -0,0 +1,113 @@
+import { Construct } from 'constructs';
+import { YamlFile } from './yaml';
+import { NodeProject } from './node-project';
+
+export interface DependabotOptions {
+  /**
+   * How often to check for new versions and raise pull requests.
+   *
+   * @default ScheduleInterval.DAILY
+   */
+  readonly scheduleInterval?: ScheduleInterval;
+
+  /**
+   * The strategy to use when edits manifest and lock files.
+   *
+   * @default VersioningStrategy.LOCKFILE_ONLY The default is to only update the
+   * lock file because package.json is controlled by projen and any outside
+   * updates will fail the build.
+   */
+  readonly versioningStrategy?: VersioningStrategy;
+}
+
+/**
+ * How often to check for new versions and raise pull requests for version
+ * updates.
+ */
+export enum ScheduleInterval {
+  /**
+   * Runs on every weekday, Monday to Friday.
+   */
+  DAILY = 'daily',
+
+  /**
+   * Runs once each week. By default, this is on Monday.
+   */
+  WEEKLY = 'weekly',
+
+  /**
+   * Runs once each month. This is on the first day of the month.
+   */
+  MONTHLY = 'monthly'
+}
+
+/**
+ * The strategy to use when edits manifest and lock files.
+ */
+export enum VersioningStrategy {
+  /**
+   * Only create pull requests to update lockfiles updates. Ignore any new
+   * versions that would require package manifest changes.
+   */
+  LOCKFILE_ONLY = 'lockfile-only',
+
+  /**
+   * - For apps, the version requirements are increased.
+   * - For libraries, the range of versions is widened.
+   */
+  AUTO = 'auto',
+
+  /**
+   * Relax the version requirement to include both the new and old version, when
+   * possible.
+   */
+  WIDEN = 'widen',
+
+  /**
+   * Always increase the version requirement to match the new version.
+   */
+  INCREASE = 'increase',
+
+  /**
+   * Increase the version requirement only when required by the new version.
+   */
+  INCREASE_IF_NECESSARY = 'increase-if-necessary',
+}
+
+/**
+ * Defines dependabot configuration for node projects.
+ *
+ * Since module versions are managed in projen, the versioning strategy will be
+ * configured to "lockfile-only" which means that only updates that can be done
+ * on the lockfile itself will be proposed.
+ */
+export class Dependabot extends Construct {
+  /**
+   * The raw dependabot configuration.
+   * @see https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
+   */
+  public readonly config: any;
+
+  constructor(project: NodeProject, options: DependabotOptions = {}) {
+    super(project, 'dependabot');
+
+    this.config = {
+      version: 2,
+      updates: [
+        {
+          'package-ecosystem': 'npm',
+          'versioning-strategy': 'lockfile-only',
+          'directory': '/',
+          'schedule': {
+            interval: options.scheduleInterval ?? ScheduleInterval.DAILY,
+          },
+        },
+      ],
+    };
+
+    new YamlFile(project, '.github/dependabot.yml', {
+      obj: this.config,
+      committed: true,
+    });
+  }
+}

src/index.ts

@@ -11,4 +11,5 @@ export * from './version';
 export * from './eslint';
 export * from './jest';
 export * from './typescript';
-export * from './mergify';
+export * from './mergify';
+export * from './dependabot';

src/json.ts

@@ -10,6 +10,11 @@ export class JsonFile extends FileBase {
 
   constructor(project: Project, filePath: string, options: JsonFileOptions) {
     super(project, filePath, options);
+
+    if (!options.obj) {
+      throw new Error('"obj" cannot be undefined');
+    }
+
     this.obj = options.obj;
   }
 

src/node-project.ts

@@ -9,6 +9,7 @@ import { Version } from './version';
 import { GithubWorkflow } from './github-workflow';
 import * as fs from 'fs-extra';
 import * as path from 'path';
+import { DependabotOptions, Dependabot } from './dependabot';
 
 const ANTITAMPER_COMMAND = [
   {
@@ -160,6 +161,20 @@ export interface CommonOptions {
    * @default "test"
    */
   readonly testdir?: string;
+
+  /**
+   * Include dependabot configuration.
+   *
+   * @default true;
+   */
+  readonly dependabot?: boolean;
+
+  /**
+   * Options for dependabot.
+   *
+   * @default - default options
+   */
+  readonly dependabotOptions?: DependabotOptions;
 }
 
 export interface NodeProjectOptions extends ProjectOptions, CommonOptions {
@@ -431,6 +446,10 @@ export class NodeProject extends Project {
         }
       }
     }
+
+    if (options.dependabot ?? true) {
+      new Dependabot(this, options.dependabotOptions);
+    }
   }
 
   /**

src/typescript.ts

@@ -9,7 +9,14 @@ import { TypedocDocgen } from './typescript-typedoc';
 import * as fs from 'fs-extra';
 import * as path from 'path';
 
-export interface TypeScriptLibraryProjectOptions extends NodeProjectOptions {
+/**
+ * @deprecated use TypeScriptProjectOptions
+ */
+export interface TypeScriptLibraryProjectOptions extends TypeScriptProjectOptions {
+
+}
+
+export interface TypeScriptProjectOptions extends NodeProjectOptions {
   /**
    * Setup jest unit tests
    * @default true
@@ -99,7 +106,7 @@ export class TypeScriptProject extends NodeProject {
   protected readonly libdir: string;
   protected readonly testdir: string;
 
-  constructor(options: TypeScriptLibraryProjectOptions) {
+  constructor(options: TypeScriptProjectOptions) {
     super(options);
 
     this.srcdir = options.srcdir ?? 'src';

test/__snapshots__/inventory.test.ts.snap

@@ -137,6 +137,17 @@ Array [
         "switch": "copyright-period",
         "type": "string",
       },
+      Object {
+        "default": "true;",
+        "docs": "Include dependabot configuration.",
+        "name": "dependabot",
+        "optional": true,
+        "path": Array [
+          "dependabot",
+        ],
+        "switch": "dependabot",
+        "type": "boolean",
+      },
       Object {
         "name": "dependencies",
         "optional": true,
@@ -1096,6 +1107,17 @@ Array [
         "switch": "copyright-period",
         "type": "string",
       },
+      Object {
+        "default": "true;",
+        "docs": "Include dependabot configuration.",
+        "name": "dependabot",
+        "optional": true,
+        "path": Array [
+          "dependabot",
+        ],
+        "switch": "dependabot",
+        "type": "boolean",
+      },
       Object {
         "name": "dependencies",
         "optional": true,
@@ -1570,6 +1592,17 @@ jest typescript tests and only if all tests pass, run the compiler.",
         "switch": "copyright-period",
         "type": "string",
       },
+      Object {
+        "default": "true;",
+        "docs": "Include dependabot configuration.",
+        "name": "dependabot",
+        "optional": true,
+        "path": Array [
+          "dependabot",
+        ],
+        "switch": "dependabot",
+        "type": "boolean",
+      },
       Object {
         "name": "dependencies",
         "optional": true,