.dependabot/config.yml and forks #2198
Comments
|
@LeoColomb agreed on not auto-adding forks! We also want to allow running on forks so won't be a super quick fix on our side. The current plan is to not auto-add forks with config files but show these in the Dependabot dashboard where you can click to enable the fork. I'm currently working on a repo details page in the dashboard where we can do this so going to get back to this after getting that out. Thanks for getting in touch! |
|
Maybe have dependabot open an issue that lets the user opt in to running on the fork? |
|
Yeah, I think surfacing in the dashboard first is the way to go - don't want to create issues unless we have to. What was your experience at GitLab of folks forking repos with a config file? |
|
Generally it didn’t matter much since the only config file that really mattered for GitLab was the CI YAML, and CI didn’t typically open merge requests on the project or modify the project state at all (or if it did, it’d need a private token anyway, so it would just fail unless someone went through the trouble of setting it up). CI would run for the latest commit on master and any newly-pushed commits, but it wasn’t a problem. Dependabot is pretty different in that regard, so my knowledge probably isn’t super useful here unfortunately. |
|
Forked repositories have issues disabled by default on GitHub. So opening an initial issue is not possible. 🤔 😉
You mean with
Edit: Connor beat me to responding, but yes. |
|
The only other thing I can think of that’d be relevant would be things like CI Variables and other project settings. I’m fairly certain none of the project settings are carried over on a fork, and CI Variables are supposed to be used for API Keys, etc, so they definitely weren’t carried over. |
|
job:
only:
- branches@gitlab-org/gitlab-ce
except:
- master@gitlab-org/gitlab-cehttps://docs.gitlab.com/ce/ci/yaml/#only-and-except-simplified |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions. |
|
Still an issue, right? |
|
@LeoColomb yup! Still on the radar 👍 |
|
I'm wondering why there is no option to disable dependabot. I removed access to one of the forks via github UI but it's still listed in the dependabot dashboard. Furthermore the upstream repository is no longer getting updates and in a permanent "checking for updates" state. |
|
@feelepxyz Thoughts on what's going on here regarding @eps1lon's comment? |
|
@eps1lon yes this was possibly due to a Dependabot outage which meant that jobs took ages to process. This should be fixed now and the queue times should be back to normal. Has the repo you removed been deleted from the UI? |
|
@feelepxyz Forgot about this. I tried again today and it is now removed from the dependabot UI. This should prevent dependabot from opening PRs on my fork. If this works then revoking access resolves this issue for me. |
|
Is there any why that you know to stop dependabot PRs on forks if we migrate to the v2 (with |
Yes, Dependabot v2 won't be automatically enabled on forks and you have to enable it from the Dependabot UI under Insights > Dependency Graph > Dependabot. There's currently a bug where it will start sending you PRs if you've somehow installed the Dependabot v2 app on an old fork and then rebase the source which has since added the config file (the app installation is transparent but happens when you enable Dependabot security updates for example). |
@feelepxyz : Thanks much for your response. So just to confirm, re-creating the fork should help I guess? 🤔 |
Yup! |
infin8x
added
F: version-updates ⬆️
|
When will the bug be fixed with forks? It seems completely backwards that I have to delete a fork and recreate it. I don't care to do that and this is an incredible mess. I'm getting daily bast of PRs that is incredibly high for repos I work on and its too easy to accidently merge on the fork where I don't want the merge. This has been an outstanding issue before V2 came into the picutre now for going on 2 years. So please make this a priority. |
|
@gohugoio recently added dependabot to its master repo. You cannot really expect people to update to v2 by deleting their forks and associated pull requests history so that they stop receiving these unwanted Pull Requests. Please do consider making this issue a priority. |
|
IMHO the easyest fix for this issue would be to add a new field to
That way you could get the following benefits:
IMHO this is a case where users don't want all the automagic assumptions, but have full control. |
|
Can we just get a |
|
Our workaround so far to avoid spamming our 800+ forks:
When we want to run dependabot, we make the latter branch the default one, and then make the Of course, now it's August and most people potentially interested in forking our project are on holidays, so the risk of someone forking the project while we're changing the default branch is very low 🤔. Might not work for projects people are forking constantly. |
Pending resolution of dependabot/dependabot-core#2198
Pending resolution of dependabot/dependabot-core#2198
|
@feelepxyz any updates on this? If this is resolved, dependabot would get many more users and the debates and conflicts regarding the use of dependabot for a project would be much easier to resolve. |
|
I forgot one project uses dependabot and made the mistake of updating my fork from
|
|
https://docs.renovatebot.com/configuration-options/#includeforks Renovate by default skips all forks - looks like a good alternative if change in the repo you manage is possible. I've seen renovate used to good effect in the ACRA repo and will consider it for my repos since the fork PR thing is kind of a showstopper as it induces a lot of contributor friction in fork-based repos. |
…main and forks) # [why] When using the Dependabot configuration (*.github/dependabot.yml*), forks are forced into using it as well which causes lots of useless Dependabot spam. There is discussion but no fix for this as of yet. - ref: [Dependabot config and forks](dependabot/dependabot-core#2198)
…main and forks) # [why] When using the Dependabot configuration (*.github/dependabot.yml*), forks are forced into using it as well which causes lots of useless Dependabot spam. There is discussion but no fix for this as of yet. - ref: [How to disable for a fork?](dependabot/dependabot-core#2804) - ref: [Dependabot config and forks](dependabot/dependabot-core#2198)
|
Renovate is also fully open source |
|
👋 Hey there! This is super annoying, and very much on our radar. Unfortunately, I can't give any promises on timeline etc, but it is something we plan to fix. However, it's also tracked over in #2804, so I'm going to close this as a duplicate. I realize this one is earlier, but the other one is the one we're tracking internally on some project boards, so just easier to keep that one as the canonical reference ticket. |
To stop the spam in my fork, because there's still no other way to do this after almost 4 years... see dependabot/dependabot-core#2804 and dependabot/dependabot-core#2198
@jeffwidman The mentioned issue is closed with > 1.700 comments. Could you summarize the result for us? |
|
Summary:
|
and others
.dependabot/config.ymlis a great feature, thanks!That said, I faced an unwanted behavior.
Considering two accounts with Dependabot enabled, if an account forks a repo of the other one containing a
.dependabot/config.ymlfile and with outdated dependencies, Dependabot will be auto-activated and will open pull requests on the forked repo.As a real example, I forked
dependabot-coreand got four PR in the minute.The text was updated successfully, but these errors were encountered: