From 93538a0908fc58b9e2ea17cb284855c8f5776169 Mon Sep 17 00:00:00 2001 From: Rhys Koedijk Date: Thu, 26 Dec 2024 06:18:08 +1300 Subject: [PATCH] If no experiments are specified, use the GitHub defaults (#1514) * If no experiments are specified, use the GitHub service defaults * Update documentation --- README.md | 103 +++++++++--------- docs/extension.md | 43 +++++++- docs/migrations/v1-to-v2.md | 18 +-- extension/README.md | 14 ++- extension/tasks/dependabotV2/task.json | 2 +- .../dependabot-cli/DependabotJobBuilder.ts | 9 +- .../utils/dependabot/experiments.ts | 15 +++ .../dependabotV2/utils/getSharedVariables.ts | 9 ++ 8 files changed, 138 insertions(+), 75 deletions(-) create mode 100644 extension/tasks/dependabotV2/utils/dependabot/experiments.ts diff --git a/README.md b/README.md index b71a06ea..a59f0752 100644 --- a/README.md +++ b/README.md @@ -10,10 +10,10 @@ In this repository you'll find: 1. Azure DevOps [Extension](https://marketplace.visualstudio.com/items?itemName=tingle-software.dependabot), [source code](./extension) and [docs](./docs/extension.md). 1. Dependabot Server, [source code](./server/) and [docs](./docs/server.md). -1. Dependabot Updater image, [Dockerfile](./updater/Dockerfile), [source code](./updater/) and [docs](./docs/updater.md). **(Deprecated since v2.0)** +1. Dependabot Updater image, [Dockerfile](./updater/Dockerfile), [source code](./updater/) and [docs](./docs/updater.md). **(deprecated)** > [!IMPORTANT] -> This project is currently undergoing a major version increment (V1 → V2); See the [migration guide](./docs/migrations/v1-to-v2.md#summary-of-changes-v1--v2) for more details and progress updates. +> The Azure pipelines task is currently undergoing a major version increment (V1 → V2); See the [migration guide](./docs/migrations/v1-to-v2.md#summary-of-changes-v1--v2) for more details and progress updates. ## Table of Contents - [Getting started](#getting-started) @@ -24,8 +24,8 @@ In this repository you'll find: - [Configuring assignees and reviewers](#configuring-assignees-and-reviewers) - [Unsupported features and configurations](#unsupported-features-and-configurations) * [Dependabot Task](#dependabot-task) - + [dependabot@V2](#dependabotv2) - + [dependabot@V1](#dependabotv1) + + [dependabot@2](#dependabot2) + + [dependabot@1](#dependabot1) * [Dependabot Updater Docker image](#dependabot-updater-docker-image) * [Dependabot Server](#dependabot-server) - [Migration Guide](#migration-guide) @@ -36,10 +36,37 @@ In this repository you'll find: ## Getting started -Unlike the GitHub-hosted version, Dependabot for Azure DevOps must be explicitly setup in your organisation; creating a `dependabot.yml` file alone is **not** enough to enable updates. There are two ways to enable Dependabot, using: +Dependabot for Azure DevOps must be explicitly configured to run in your organisation; creating a `dependabot.yml` file alone is **not** enough to enable updates. There are two ways to enable Dependabot, using: - [Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=tingle-software.dependabot) - Ideal if you want to get Dependabot running with minimal administrative effort. The extension can run directly inside your existing pipeline agents and doesn't require hosting of any additional services. Because the extension runs in pipelines, this option does **not** scale well if you have a large number of projects and repositories. +
+ Example: + + ```yaml + trigger: none # Disable CI trigger + + schedules: + - cron: '0 0 * * 0' # weekly on sunday at midnight UTC + always: true # run even when there are no code changes + branches: + include: + - master + batch: true + displayName: Weekly + + pool: + vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported) + + steps: + - task: dependabot@2 + inputs: + mergeStrategy: 'squash' + ``` + See [task requirements](/extension/README.md#task-requirements) and [task parameters](/extension/README.md#task-parameters) for more information. + +
+ - [Hosted Server](./docs/server.md) - Ideal if you have a large number of projects and repositories or prefer to run Dependabot as a managed service instead of using pipeline agents. See [why should I use the server?](./docs/server.md#why-should-i-use-the-server) for more info. > [!NOTE] @@ -49,7 +76,7 @@ Unlike the GitHub-hosted version, Dependabot for Azure DevOps must be explicitly Similar to the GitHub-hosted version, Dependabot is configured using a [dependabot.yml file](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) located at `.azuredevops/dependabot.yml` or `.github/dependabot.yml` in your repository. -Most [official configuration options](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) are supported since V2; Earlier versions have several limitations, see [unsupported features and configurations](#unsupported-features-and-configurations) for more. +Most [official configuration options](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) are supported; See [unsupported features and configurations](#unsupported-features-and-configurations) for more details. ## Configuring private feeds and registries @@ -57,7 +84,9 @@ Besides accessing the repository, sometimes private feeds/registries may need to Private registries are configured in `dependabot.yml`, refer to the [official documentation](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). -Examples: + +
+Example: ```yml version: 2 @@ -93,6 +122,8 @@ updates: ... ``` +
+ Note when using authentication secrets in configuration files: > [!IMPORTANT] @@ -104,41 +135,6 @@ BUT the values will be used from pipeline environment variables. Template variab > 1. Have `Packaging (Read)` permission. > 2. Be issued by a user with permission to the feed either directly or via a group. An easy way for this is to give `Contributor` permissions the `[{project_name}]\Contributors` group under the `Feed Settings -> Permissions` page. The page has the url format: `https://dev.azure.com/{organization}/{project}/_packaging?_a=settings&feed={feed-name}&view=permissions`. -> [!NOTE] -> When using `dependabot@V1` with a private feed/registry secured with basic auth, the `username`, `password`, **and** `token` properties are all required. The token format must be `${{ USERNAME }}:${{ PASSWORD }}`. - -> [!NOTE] -> When using `dependabot@V1` with a repository containing a `nuget.config` file configured with custom package sources, the `key` property is required for each registry. The key must match between `dependabot.yml` and `nuget.config` otherwise the package source will be duplicated, package source mappings will be ignored, and auth errors will occur during dependency discovery. If your `nuget.config` looks like this: -> ```xml -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ``` -> -> Then your `dependabot.yml` registry should look like this: -> ```yml -> version: 2 -> registries: -> my-org: -> type: nuget-feed -> key: my-organisation1-nuget -> url: https://dev.azure.com/my-organization/_packaging/my-nuget-feed/nuget/v3/index.json -> token: PAT:${{ MY_DEPENDABOT_ADO_PAT }} -> ``` - ## Configuring security advisories and known vulnerabilities Security-only updates is a mechanism to only create pull requests for dependencies with vulnerabilities by updating them to the earliest available non-vulnerable version. [Security updates are supported in the same way as the GitHub-hosted version](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) provided that a GitHub access token with `public_repo` access is provided in the `gitHubAccessToken` or `gitHubConnection` task inputs. @@ -150,11 +146,10 @@ Dependabot uses an internal feature flag system called "experiments". Typically, Experiments vary depending on the package ecyosystem used; They can be enabled using the `experiments` task input with a comma-seperated list of key/value pairs representing the experiments e.g. `experiments: 'tidy=true,vendor=true,goprivate=*'`. -> [!NOTE] -> Dependabot experinment names are not [publicly] documented. For convenience, some known experiments are listed below; However, **be aware that this may be out-of-date at the time of reading.** +By default, the enabled experiments will mirror the GitHub-hosted version of Dependabot, which can be found [here](/extension/tasks/dependabotV2/utils/dependabot/experiments.ts). Specifying experiments in the task input parameters will override all defaults. -
-List of known experiments from dependabot-core@0.288.0 +
+List of known experiments: |Package Ecosystem|Experiment Name|Value Type|More Information| |--|--|--|--| @@ -177,19 +172,23 @@ Experiments vary depending on the package ecyosystem used; They can be enabled u | NuGet | nuget_legacy_dependency_solver | true/false | https://github.com/dependabot/dependabot-core/pull/10671 | | NuGet | nuget_use_direct_discovery | true/false | https://github.com/dependabot/dependabot-core/pull/10597 | -> To find the latest list of Dependabot experiments, search the `dependabot-core` GitHub repository using queries like ["enabled?(x)"](https://github.com/search?q=repo%3Adependabot%2Fdependabot-core+%2Fenabled%5CW%5C%28.*%5C%29%2F&type=code) and ["options.fetch(x)"](https://github.com/search?q=repo%3Adependabot%2Fdependabot-core+%2Foptions%5C.fetch%5C%28.*%2C%2F&type=code). +> [!NOTE] +> Dependabot experiment names are not [publicly] documented and these may be out-of-date at the time of reading. To find the latest list of experiments, search the `dependabot-core` GitHub repository using queries like ["enabled?(x)"](https://github.com/search?q=repo%3Adependabot%2Fdependabot-core+%2Fenabled%5CW%5C%28.*%5C%29%2F&type=code) and ["options.fetch(x)"](https://github.com/search?q=repo%3Adependabot%2Fdependabot-core+%2Foptions%5C.fetch%5C%28.*%2C%2F&type=code).
## Configuring assignees and reviewers -Dependabot allows for the configuration of both [`assignees`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees) and [`reviewers`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers). However, Azure DevOps does not have the concept of pull request assignees. Because of this, `assignees` will be treated as **required** reviewers and `reviewers` will be treated as **optional** reviewers. +Dependabot supports [`assignees`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees) and [`reviewers`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers). However, Azure DevOps does not have the concept of pull request assignees. To work around this: + +- [`assignees`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees) are treated as **required** pull request reviewers. +- [`reviewers`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers) are treated as **optional** pull request reviewers. -Reviewers can be any of the following values: +The following values can be used as assignees or reviewers: - User GUID - User username - User email address -- User full [display] name +- User full display name - Group name - Team name @@ -198,11 +197,11 @@ We aim to support all [official configuration options](https://docs.github.com/e ### Dependabot Task -#### `dependabot@V2` +#### `dependabot@2` - [`schedule`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) is ignored, use [pipeline scheduled triggers](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml#scheduled-triggers) instead. - [`securityAdvisoriesFile`](#configuring-security-advisories-and-known-vulnerabilities) task input is not yet supported. -#### `dependabot@V1` +#### `dependabot@1` - [`schedule`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) is ignored, use [pipeline scheduled triggers](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml#scheduled-triggers) instead. - [`directories`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) are only supported if task input `useUpdateScriptVNext: true` is set. - [`groups`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) are only supported if task input `useUpdateScriptVNext: true` is set. diff --git a/docs/extension.md b/docs/extension.md index 27e9876e..5c372b81 100644 --- a/docs/extension.md +++ b/docs/extension.md @@ -10,8 +10,8 @@ * [Running the task locally](#running-the-task-locally) * [Running the unit tests](#running-the-unit-tests) - [Architecture](#architecture) - * [Task V2 high-level update process diagram](#task-v2-high-level-update-process-diagram) - + * [dependabot@2 versioned update process diagram](#dependabot2-versioned-update-process-diagram) + * [dependabot@2 hsecurity-only update process diagram](#dependabot2-security-only-update-process-diagram) # Using the extension @@ -65,8 +65,8 @@ npm start To run a specific task version: ```bash -npm run start:V1 # runs dependabotV1 task -npm run start:V2 # runs dependabotV2 task +npm run start:V1 # runs dependabot@1 task +npm run start:V2 # runs dependabot@2 task ``` ## Running the unit tests @@ -78,8 +78,8 @@ npm test # Architecture -## Task V2 high-level update process diagram -High-level sequence diagram illustrating how the `dependabotV2` task performs updates using [dependabot-cli](https://github.com/dependabot/cli). For more technical details, see [how dependabot-cli works](https://github.com/dependabot/cli?tab=readme-ov-file#how-it-works). +## dependabot2 versioned update process diagram +High-level sequence diagram illustrating how the `dependabot@2` task performs versioned updates using [dependabot-cli](https://github.com/dependabot/cli). For more technical details, see [how dependabot-cli works](https://github.com/dependabot/cli?tab=readme-ov-file#how-it-works). ```mermaid sequenceDiagram @@ -128,3 +128,34 @@ High-level sequence diagram illustrating how the `dependabotV2` task performs up end ``` + +## dependabot2 security-only update process diagram +High-level sequence diagram illustrating how the `dependabot@2` task performs security-only updates using [dependabot-cli](https://github.com/dependabot/cli). + +```mermaid + sequenceDiagram + participant ext as TaskV2 + participant cli as Dependabot CLI + participant gha as GitHub Advisory Database + + ext->>ext: Write `list-dependencies-job.yml` + Note right of ext: The job file contains `ignore: [ 'dependency-name': '*' ]`.
This will make Dependabot to discover all dependencies, but not update anything.
We can then extract the dependency list from the "depenedency_list" output. + ext->>+cli: Execute `dependabot update -f list-dependencies-job.yml -o output.yml` + cli->>cli: Run update job + cli->>cli: Write `output.yaml` + cli-->>-ext: Update completed + + ext->>ext: Read and parse `output.yaml`, extract "dependency_list" + loop for each dependency + ext->>gha: Check security advisories for dependency + end + ext->>ext: Filter dependency list to only ones containing security advisories + ext->>ext: Write `security-only-update-job.yml` + Note right of ext: The job file contains the list of `dependency-names` and `security-advisories`.
This will make Dependanbot only update the dependencies named in the job file. + ext->>+cli: Execute `dependabot update -f security-only-update-job-job.yml -o output.yml` + cli->>cli: Run update job + cli->>cli: Write `output.yaml` + cli-->>-ext: Update completed + ext->>ext: Read and parse `output.yaml` + Note right of ext: Normal update logic resumes from this point.
Outputs are parsed, pull requests are created/updated/closed based on the outputs +``` \ No newline at end of file diff --git a/docs/migrations/v1-to-v2.md b/docs/migrations/v1-to-v2.md index 620e7242..50e98db7 100644 --- a/docs/migrations/v1-to-v2.md +++ b/docs/migrations/v1-to-v2.md @@ -1,6 +1,6 @@ > [!WARNING] -> **:construction: Work in progress;** `dependabot@V2` is still under development and this document may change without notice up until general availability (GA). +> **:construction: Work in progress;** `dependabot@2` is still under development and this document may change without notice up until general availability (GA). # Table of Contents - [Summary of changes V1 → V2](#summary-of-changes-v1-v2) @@ -10,10 +10,10 @@ # Summary of changes V1 → V2 V2 is a complete re-write of the Dependabot task; It aims to: -- Resolve the [numerous private feed/registry authentication issues](https://github.com/tinglesoftware/dependabot-azure-devops/discussions/1317) that currently exist in V1; +- Resolve the [private feed/registry authentication issues](https://github.com/tinglesoftware/dependabot-azure-devops/discussions/1317) that exist in V1; - More closely align the update logic with the GitHub-hosted Dependabot service; -The task now uses [Dependabot CLI](https://github.com/dependabot/cli) to perform dependency updates, which is the _[currently]_ recommended approach for running Dependabot. See [extension task architecture](../extension.md#architecture) for more details on the technical changes and impact to the update process. +The task now uses [Dependabot CLI](https://github.com/dependabot/cli) to perform dependency updates, which is the _current_ recommended approach for running Dependabot. See [extension task architecture](../extension.md#architecture) for more details on the technical changes and impact to the update process. # Breaking changes V1 → V2 @@ -62,12 +62,12 @@ The following environment variables have been removed entirely; the feature is n | Removed Environment Variable | Reason | |--|--| -|`DEPENDABOT_PR_NAME_PREFIX_STYLE`| Feature is not supported; It is not an official configuration | -|`DEPENDABOT_COMPATIBILITY_SCORE_BADGE`| Feature is not supported; It is not an official configuration | -|`DEPENDABOT_MESSAGE_HEADER`| Feature is not supported; It is not an official configuration | -|`DEPENDABOT_MESSAGE_FOOTER`| Feature is not supported; It is not an official configuration | -|`DEPENDABOT_SIGNATURE_KEY`| Feature is not supported; It is not an official configuration | -|`DEPENDABOT_JOB_ID`| Set automatically by extension | +|`DEPENDABOT_COMPATIBILITY_SCORE_BADGE`| Feature is now enabled by default, no configuration required. | +|`DEPENDABOT_PR_NAME_PREFIX_STYLE`| Feature is not supported; It is not an official configuration. Use [`commit-message.prefix`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message) instead. | +|`DEPENDABOT_MESSAGE_HEADER`| Feature is not supported; It is not an official configuration. | +|`DEPENDABOT_MESSAGE_FOOTER`| Feature is not supported; It is not an official configuration. | +|`DEPENDABOT_SIGNATURE_KEY`| Feature is not supported; It is not an official configuration. | +|`DEPENDABOT_JOB_ID`| Set automatically, no configuration required. | ## Todo before general availability Before removing the preview flag from V2 `task.json`, we need to: diff --git a/extension/README.md b/extension/README.md index 2fa046a8..e7dc1d2f 100644 --- a/extension/README.md +++ b/extension/README.md @@ -20,19 +20,21 @@ An example of a YAML pipeline: trigger: none # Disable CI trigger schedules: -- cron: '0 2 * * *' # daily at 2am UTC +- cron: '0 0 * * 0' # weekly on sunday at midnight UTC always: true # run even when there are no code changes branches: include: - master batch: true - displayName: Daily + displayName: Weekly pool: vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported) steps: - task: dependabot@2 + inputs: + mergeStrategy: 'squash' ``` ## Task Requirements @@ -44,8 +46,8 @@ Dependabot uses Docker containers, which may take time to install if not already ## Task Parameters -
-dependabot@V2 +
+dependabot@2 |Input|Description| |--|--| @@ -67,12 +69,12 @@ Dependabot uses Docker containers, which may take time to install if not already |storeDependencyList|**_Optional_**. Determines if the last know dependency list information should be stored in the parent DevOps project properties. If enabled, the authenticated user must have the "Project & Team (Write)" permission for the project. Defaults to `false`.| |targetRepositoryName|**_Optional_**. The name of the repository to target for processing. If this value is not supplied then the Build Repository Name is used. Supplying this value allows creation of a single pipeline that runs Dependabot against multiple repositories by running a `dependabot` task for each repository to update.| |targetUpdateIds|**_Optional_**. A semicolon (`;`) delimited list of update identifiers run. Index are zero-based and in the order written in the configuration file. When not present, all the updates are run. This is meant to be used in scenarios where you want to run updates a different times from the same configuration file given you cannot schedule them independently in the pipeline.| -|experiments|**_Optional_**. Comma separated list of Dependabot experiments; available options depend on the ecosystem. Example: `tidy=true,vendor=true,goprivate=*`. See: [Configuring experiments](https://github.com/tinglesoftware/dependabot-azure-devops/#configuring-experiments)| +|experiments|**_Optional_**. Comma separated list of Dependabot experiments; available options depend on the ecosystem. Example: `tidy=true,vendor=true,goprivate=*`. If specified, this overrides the [default experiments](https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/extension/tasks/dependabotV2/utils/dependabot/experiments.ts). See: [Configuring experiments](https://github.com/tinglesoftware/dependabot-azure-devops/#configuring-experiments)|
-dependabot@V1 (Deprecated) +dependabot@1 (deprecated) |Input|Description| |--|--| diff --git a/extension/tasks/dependabotV2/task.json b/extension/tasks/dependabotV2/task.json index 6222c8da..dcbe67c3 100644 --- a/extension/tasks/dependabotV2/task.json +++ b/extension/tasks/dependabotV2/task.json @@ -226,7 +226,7 @@ "groupName": "advanced", "label": "Dependabot updater experiments", "required": false, - "helpMarkDown": "Comma-seperated list of key/value pairs representing the enabled Dependabot experiments e.g. `experiments: 'tidy=true,vendor=true,goprivate=*'`. Available options vary depending on the package ecosystem. See [configuring experiments](https://github.com/tinglesoftware/dependabot-azure-devops/#configuring-experiments) for more details." + "helpMarkDown": "Comma-seperated list of key/value pairs representing the enabled Dependabot experiments e.g. `experiments: 'tidy=true,vendor=true,goprivate=*'`. Available options vary depending on the package ecosystem. If specified, this overrides the [default experiments](https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/extension/tasks/dependabotV2/utils/dependabot/experiments.ts). See [configuring experiments](https://github.com/tinglesoftware/dependabot-azure-devops/#configuring-experiments) for more details." } ], "execution": { diff --git a/extension/tasks/dependabotV2/utils/dependabot-cli/DependabotJobBuilder.ts b/extension/tasks/dependabotV2/utils/dependabot-cli/DependabotJobBuilder.ts index b6ff1dbc..79f0bd69 100644 --- a/extension/tasks/dependabotV2/utils/dependabot-cli/DependabotJobBuilder.ts +++ b/extension/tasks/dependabotV2/utils/dependabot-cli/DependabotJobBuilder.ts @@ -148,7 +148,14 @@ function buildUpdateJobConfig( 'prefix-development': update['commit-message']?.['prefix-development'], 'include-scope': update['commit-message']?.['include'], }, - 'experiments': taskInputs.experiments, + 'experiments': Object.keys(taskInputs.experiments || {}).reduce( + (acc, key) => { + // Replace '-' with '_' in the experiment keys to match the dependabot-core models + acc[key.replace(/-/g, '_')] = taskInputs.experiments[key]; + return acc; + }, + {} as Record, + ), 'max-updater-run-time': undefined, // TODO: add config for this? 'reject-external-code': update['insecure-external-code-execution']?.toLocaleLowerCase() == 'allow', 'repo-private': undefined, // TODO: add config for this? diff --git a/extension/tasks/dependabotV2/utils/dependabot/experiments.ts b/extension/tasks/dependabotV2/utils/dependabot/experiments.ts new file mode 100644 index 00000000..c99987a5 --- /dev/null +++ b/extension/tasks/dependabotV2/utils/dependabot/experiments.ts @@ -0,0 +1,15 @@ +// The default experiments known to be used by the GitHub Dependabot service. +// This changes often, update as needed by extracting them from a Dependabot GitHub Action run. +// e.g. https://github.com/tinglesoftware/dependabot-azure-devops/actions/workflows/dependabot/dependabot-updates +export const DEFAULT_EXPERIMENTS: Record = { + 'record-ecosystem-versions': true, + 'record-update-job-unknown-error': true, + 'proxy-cached': true, + 'move-job-token': true, + 'dependency-change-validation': true, + 'nuget-native-analysis': true, + 'nuget-use-direct-discovery': true, + 'enable-file-parser-python-local': true, + 'lead-security-dependency': true, + 'enable-record-ecosystem-meta': true, +}; diff --git a/extension/tasks/dependabotV2/utils/getSharedVariables.ts b/extension/tasks/dependabotV2/utils/getSharedVariables.ts index bcf83e67..244bc877 100644 --- a/extension/tasks/dependabotV2/utils/getSharedVariables.ts +++ b/extension/tasks/dependabotV2/utils/getSharedVariables.ts @@ -1,4 +1,5 @@ import * as tl from 'azure-pipelines-task-lib/task'; +import { DEFAULT_EXPERIMENTS } from './dependabot/experiments'; import extractHostname from './extractHostname'; import extractOrganization from './extractOrganization'; import extractVirtualDirectory from './extractVirtualDirectory'; @@ -140,6 +141,14 @@ export default function getSharedVariables(): ISharedVariables { {} as Record, ); + // If no experiments are defined, use the default experiments + if (!experiments) { + experiments = DEFAULT_EXPERIMENTS; + tl.debug('No experiments provided; Using default experiments.'); + } + + console.log('Experiments:', experiments); + let debug: boolean = tl.getVariable('System.Debug')?.match(/true/i) ? true : false; // Get the target identifiers