-
-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Task V2; Use Dependabot-CLI to perform updates (#1318)
* Split extension task in to V1 and V2 * Basic support for running update using dependabot-cli * Add missing update job configs * Move update output processing to dedicated class; Add DevOps API client * Codespell skip package-lock.json * Clean-up * Implement create pull request * Implement groups, auto-complete, auto-approve, pull request properties, and updating existing pull requests * Clean up * Set task V1 as deprecated, task V2 as preview * Restructure extension task to better support multiple version * Fix typos * Fix build * Fix build * Fix merge issues * Remove unused task inputs * Fix for 'convertPlaceholder' not accepted built-in DevOps variable names containing '.' * Implement closing pull requests * Implement updating pull requests * Use default branch name if target branch not configured * Implement approving pull requests * Add task inputs for pr commit author email and name * Implement open pull request limit config * Cleanup temporary files after task completion * Add configuration placeholders for dependabot component images * Implement more config options * Implement dependency list snapshots, which are stored in the DevOps project properties * Add task input option for storing dependency list * Implement experiments * Implement requirements-update-strategy and lockfile-only configs * Fix typo * Implement PR reviewers, work item references, and labels * Add start commands for each task version, use V2 by default * Update V1 task.json version numbers when publishing the extension * Update documentation * Update documentation * Update documentation * Update documentation * Typo * Update documentation * Fix reference to undefined `this.cachedUserIds` * Use case insensitive comparision when parsing "System.Debug" variable * Fix dependabot tool path detection in agents where `$PATH` does not contain `$GOPATH/bin` * Add more logging * Fix for task reporting success when pull request creation failed * Add more logging; Fix formatting * Fix 'labels' config parsing * Implement "targetUpdateIds" task input option * Fix error when using multiple update blocks in dependabot.yml with the same package manager * Only install dependabot once; cache the tool path once known * Add migration warning to complete V1 pull requests before migrating to V2 * Process updates synchronously when using multiple update blocks in dependabot.yml * Fix typos * Report the total number of failed update jobs in the task result * Include stack trace when errors are logged, to help with diagnosing issues * Fix inverted logic for "abandonUnwantedPullRequests" * Fix error handling
- Loading branch information
1 parent
a7f21ac
commit 213d780
Showing
38 changed files
with
3,490 additions
and
153 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
[codespell] | ||
skip = .git,*.pdf,*.svg,pnpm-lock.yaml,yarn.lock | ||
skip = .git,*.pdf,*.svg,pnpm-lock.yaml,yarn.lock,package-lock.json | ||
# some modules, parts of regexes, and variable names to ignore, some | ||
# misspellings in fixtures/external responses we do not own | ||
ignore-words-list = caf,bu,nwo,nd,kernal,crate,unparseable,couldn,defintions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
|
||
> [!WARNING] | ||
> **:construction: Work in progress;** `dependabot@V2` is still under development and this document may change without notice up until general availability (GA). | ||
# Table of Contents | ||
- [Summary of changes V1 → V2](#summary-of-changes-v1-v2) | ||
- [Breaking changes V1 → V2](#breaking-changes-v1-v2) | ||
- [Todo before general availability](#todo-before-general-availability) | ||
|
||
# Summary of changes V1 → V2 | ||
V2 is a complete re-write of the Dependabot task; It aims to: | ||
|
||
- Resolve the [numerous private feed/registry authentication issues](https://github.com/tinglesoftware/dependabot-azure-devops/discussions/1317) that currently exist in V1; | ||
- More closely align the update logic with the GitHub-hosted Dependabot service; | ||
|
||
The task now uses [Dependabot CLI](https://github.com/dependabot/cli) to perform dependency updates, which is the _[currently]_ recommended approach for running Dependabot. See [extension task architecture](../extension.md#architecture) for more details on the technical changes and impact to the update process. | ||
|
||
# Breaking changes V1 → V2 | ||
|
||
> [!WARNING] | ||
> **It is strongly recommended that you complete (or abandon) all active Depedabot pull requests created in V1 before migrating to V2.** Due to changes in Dependabot dependency metadata, V2 pull requests are not compatible with V1 (and vice versa). Migrating to V2 before completing existing pull requests will lead to duplication of pull requests. | ||
### New pipeline agent requirements; "Go" must be installed | ||
Dependabot CLI requires [Go](https://go.dev/doc/install) (1.22+) and [Docker](https://docs.docker.com/get-started/get-docker/) (with Linux containers). | ||
If you use [Microsoft-hosted agents](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#software), we recommend using the [ubuntu-latest](https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md) image, which meets all task requirements. | ||
For self-hosted agents, you will need to install Go 1.22+. | ||
|
||
### Security-only updates and "fixed vulnerabilities" are not implemented (yet) | ||
Using configuration `open-pull-requests-limit: 0` will cause a "not implemented" error. This is [current limitation of V2](../../README.md#unsupported-features-and-configurations). A solution is still under development and is expected to be resolved before general availability. | ||
See: https://github.com/dependabot/cli/issues/360 for more technical details. | ||
|
||
### Task Input `updaterOptions` has been renamed to `experiments` | ||
Renamed to match Dependabot Core/CLI terminology. The input value remains unchanged. See [configuring experiments](../../README.md#configuring-experiments) for more details. | ||
|
||
### Task Input `failOnException` has been removed | ||
Due to the design of Dependabot CLI, the update process can no longer be interrupted once the update has started. Because of this, the update will now continue on error and summarise all error at the end of the update process. | ||
|
||
### Task Input `excludeRequirementsToUnlock` has been removed | ||
This was a customisation/workaround specific to the V1 update script that can no longer be implemented with Dependabot CLI as it is not an official configuration option. | ||
|
||
### Task Input `dockerImageTag` has been removed | ||
This is no longer required as the [custom] [Dependabot Updater image](../updater.md) is no longer used. | ||
|
||
### Task Input `extraEnvironmentVariables` has been removed | ||
Due to the containerised design of Dependabot CLI, environment variables can no longer be passed from the task to the updater process. All Dependabot config must now set via `dependabot.yaml` or as task inputs. The following old environment variables have been converted to task inputs: | ||
|
||
| Environment Variable | New Task Input | | ||
|--|--| | ||
|DEPENDABOT_AUTHOR_EMAIL|authorEmail| | ||
|DEPENDABOT_AUTHOR_NAME|authorName| | ||
|
||
|
||
## Todo before general availability | ||
Before removing the preview flag from V2 `task.json`, we need to: | ||
- [x] Open an issue in Dependabot-CLI, enquire how security-advisories are expected to be provided **before** knowing the list of dependencies. (https://github.com/dependabot/cli/issues/360) | ||
- [ ] Convert GitHub security advisory client in `vulnerabilities.rb` to TypeScript code | ||
- [ ] Implement `security-advisories` config once the answer the above is known | ||
- [x] Review `task.json`, add documentation for new V2 inputs | ||
- [x] Update `\docs\extension.md` with V2 docs | ||
- [x] Update `\extension\README.MD` with V2 docs | ||
- [x] Update `\README.MD` with V2 docs | ||
- [ ] Do a general code tidy-up pass (check all "TODO" comments) | ||
- [ ] Add unit tests for V2 utils scripts | ||
- [ ] Investigate https://zod.dev/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.