search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.67k stars 1.01k forks source link

Add a configuration option to specify a prefix for security updates #10627

Open klaustopher opened 4 weeks ago

klaustopher commented 4 weeks ago

Is there an existing issue for this?

Feature description

Currently we can define a prefix for all updates and prefix-development for the updates of development dependencies. In our application we prefix the dependabot PRs using a chore(deps) prefix. In our release process, this triggers no special actions

For security updates, we actually want the prefix to change to fix(deps) because this will trigger a bugfix release and directly forward a release to our customers. We currently do this manually by changing the PR title and then squash-merging the PR, but it would be great if dependabot automatically allowed prefixing security PRs with a custom prefix.

broksonic21 commented 3 weeks ago

Seconding this: In fact, we find for JS at least, dependabot ignores the prefix setting in full for security updates, which is causing some issues in our process. At minimum, it should use the general prefix, but ideally allow a specific one.

eptekov commented 3 weeks ago

Tesla also raised a ticket about this issue, where PR titles do not always honor the commit-message.prefix value, but it does work for the commit message.

According to our docs: "prefix specifies a prefix for all commit messages and it will also be added to the start of the PR title."

Based on the screenshots shared by Tesla, we can see that PRs that resolve a Dependabot alert do not get the prefix:

Image

While PRs that update a package's version without a Dependabot alert do:

Image

dependabot.yaml for reference:

version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    target-branch: 'develop'
    commit-message:
      prefix: 'chore: EFPM-10618 '
    open-pull-requests-limit: 10
    rebase-strategy: 'disabled'
    reviewers:
      - 'digital-experience/grid-team'
    schedule:
      interval: 'monthly'
    groups:
      major:
        update-types:
          - 'major'
      minor-and-patch:
        update-types:
          - 'minor'
          - 'patch'
    ignore:
      - dependency-name: 'mocha'
      - dependency-name: 'node'
      - dependency-name: 'node-fetch'
      - dependency-name: 'p-queue'
      - dependency-name: 'yarn'

      # Ignore only major updates
      - dependency-name: '@types/chai'
        update-types: ['version-update:semver-major']
      - dependency-name: '@types/mocha'
        update-types: ['version-update:semver-major']
      - dependency-name: '@types/node'
        update-types: ['version-update:semver-major']
      - dependency-name: '@typescript-eslint/*'
        update-types: ['version-update:semver-major']
      - dependency-name: 'chai'
        update-types: ['version-update:semver-major']
      - dependency-name: 'eslint*'
        update-types: ['version-update:semver-major']