Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot PR includes changes from custom PRs - Need to exclude non-main branch changes #1427

Open
ahmetgul93 opened this issue Oct 24, 2024 · 9 comments

Comments

@ahmetgul93
Copy link

Describe the bug

I would like Dependabot to only base its pull requests on the changes in the main branch and not include any changes from other open PRs or branches. This behavior is causing conflicts and making it difficult to review the dependencies independently from other feature or custom changes.

PR created by dependabot takes changes from other open PRs as well. I want dependabot to create PRs only based on MAIN. I have found rebase-strategy and set it disabled but it didn't work as well

Could you please help me how can I do this?

dependabot.yml;

version: 2
registries:
  azure-artifacts:
    type: nuget-feed
    key: "aaaa"
    url: "xxxxx"
    token: PAT:${{ TOKEN}}
updates:
  - package-ecosystem: "nuget"
    directories: [ '/aa/bb/*' ]
    allow:
      - dependency-name: "AA.BB"
    target-branch: main
    registries:
      - azure-artifacts
    schedule:
      interval: "daily"
    rebase-strategy: "disabled"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3
  - package-ecosystem: "nuget"
    directories: [ '/cc/dd/*' ]
    allow:
      - dependency-name: "AA.CC"
    target-branch: main
    registries:
      - azure-artifacts
     schedule:
      interval: "daily"
    rebase-strategy: "disabled"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3

azure devops pipeline;

stages:
  - stage: DependencyChecking
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        steps:
          - task: dependabot@2
            displayName: 'Dependabot'
            inputs:
              useUpdateScriptvNext: true
            env:
              TOKEN: $(System.AccessToken)
@rhyskoedijk
Copy link
Contributor

rhyskoedijk commented Oct 28, 2024

@ahmetgul93 thanks for the report.
could you please provide some more information on what you are seeing in your pull requests-- more specifically, a visualization of the branch history and commits that illustrates which commit the PR originates from and which commits you are not expecting to see in the PR?

By using target-branch: main, Dependabot should be using the latest commit on that branch; there shouldn't be any other commits from other branches.

It is possible that maybe this has something to do with how you are have multiple "nuget" package ecyosystems configured; To rule out that, does it behave as expected if only one "nuget" update config is present?

It would also be good to clarify exactly which version of the dependabot task you are using as the pipeline you pasted above has conflicting information. If you are using dependabot@2, you can't have useUpdateScriptvNext: true as that would be invalid configuration. Are you using dependabot@2 or dependabot@1?

@ahmetgul93
Copy link
Author

ahmetgul93 commented Oct 28, 2024

Thanks for response!

Things in red rectangle from developers commits in another branch however dependabot added these commits to its own branch. In other words, it takes other developers commits to its own branch. I wanted it to create a new PR with its commit. However, it copies developer commits to PR as well. Dependabots PR should be independent than developer commits

image

I also tried your suggestions. I removed useUpdateScriptvNext from previous version 1 implementation and also filtered out second nuget updater. But result is same. And I also want to have this 2 nuget updater.

My latest config I tried.

version: 2
registries:
  azure-artifacts:
    type: nuget-feed
    key: "aaaa"
    url: "xxxxx"
    token: PAT:${{ TOKEN}}
updates:
  - package-ecosystem: "nuget"
    directories: [ '/aa/bb/*' ]
    allow:
      - dependency-name: "AA.BB"
      - dependency-name: "XX.ZZ"
    target-branch: main
    registries:
      - azure-artifacts
    schedule:
      interval: "daily"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3

Azure Devops pipeline; (I use version 2)

   stages:
  - stage: DependencyChecking
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        steps:
          - task: dependabot@2
            displayName: 'Dependabot'
            env:
              TOKEN: $(System.AccessToken)

I have also tried with this rebase-strategy: "disabled". It didnt work as I expected.

@ahmetgul93
Copy link
Author

Any update about this? Thanks!

@caglanurcetinn
Copy link

Hey, I also got the same issue, have you managed to solve it ? @ahmetgul93

@ahmetgul93
Copy link
Author

@caglanurcetinn Couldn't handle it yet unfortunately.

@caglanurcetinn
Copy link

rhyskoedijk Did you have any chance to check this?

@rhyskoedijk
Copy link
Contributor

@ahmetgul93 @caglanurcetinn I haven't got around to this yet, but hope to spend some time on it in the next few days; I haven't forgotten about it though.

@rhyskoedijk
Copy link
Contributor

I suspect this is caused by an issue introduced in #1382. Once #1478 is merged, it would be good to re-test this to see if it fixes this issue too.

@rhyskoedijk
Copy link
Contributor

@ahmetgul93 @caglanurcetinn could you please test this using 1.38.2 and see if this issue is still happening? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants