dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.7k stars 1.02k forks source link

YAML aliases #1582

Open prma85 opened 4 years ago

prma85 commented 4 years ago

As an user, I would like to use YAML aliases to convert long code/configuration that repeats in simple one. Today, if you try to to it, you will get an error YAML aliases are not supported

I would like to convert

version: 1
update_configs:
    # Keep package.json up to date
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "live"
    version_requirement_updates: "auto"
    allowed_updates:
        - match:
            dependency_type: "all"
            update_type: "all"
    automerged_updates:
        - match:
            dependency_type: "all"
            update_type: "semver:minor"

    # Also update the defaults
  - package_manager: "javascript"
    directory: "/__defaults"
    update_schedule: "live"
    version_requirement_updates: "auto"
    allowed_updates:
        - match:
            dependency_type: "all"
            update_type: "all"
    automerged_updates:
        - match:
            dependency_type: "all"
            update_type: "semver:minor"
`
``

into 
```yml
default: &DEFAULT
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "live"
    version_requirement_updates: "auto"
    allowed_updates:
        - match:
            dependency_type: "all"
            update_type: "all"
    automerged_updates:
        - match:
            dependency_type: "all"
            update_type: "semver:minor"

version: 1
update_configs:
    <<: *DEFAULT

    # Also update the defaults
    <<: *DEFAULT
    directory: "/__defaults"
feelepxyz commented 4 years ago

@prma85 👋 thanks for the suggestion! We're holding off on supporting aliases until we know what will be supported in GitHub Actions workflow files. We're keen to keep these feature compatible so we can migrate towards actions in future.

amthorn commented 3 years ago

I'd like to request to reopen this one. yaml Aliases would be super useful for dependabot.

tenpaiyomi commented 2 years ago

Voicing my request for this as well. A simple alias can help me clean up 44 duplicate lines of code down into just 4 (plus the original alias block)

TArch64 commented 2 years ago

Same here. YAML aliases are super useful

ghost commented 2 years ago

Vote at https://github.com/orgs/community/discussions/37496 (warming up this old issue as this is the first search-result)

jeffwidman commented 2 years ago

Yeah, this should be re-opened, it got missed back when we had stalebot a long time ago.

I'm not sure we'll do it... as noted above, we have some interest in moving to be more compatible with actions workflow files, but in the meantime this should stay open.

jeffwidman commented 1 year ago

If do ever implement this, note the warning from @greysteil:

it's surprisingly tricky to do in Ruby whilst avoiding the potential for DoS attacks from memory leaks.

port19x commented 11 months ago

image

landongrindheim commented 5 months ago

👋 Still not sure we'll do this, but this feature request deserves some context.

Dependabot has a backend service that parses the dependabot.yml config file and transforms it into a shape that can be used when Dependabot runs its update jobs. We've accrued quite a few ecosystems, which each have unique considerations. This parsing ends up being more complex than we'd like already, and introducing YAML aliases would make it more complex. Given that we have users with hundreds of configurations within a single file, the previously shared warning is a factor as well.

BUT I can share that we're currently running a public beta which introduces multi-directory support. While it may not satisfy the needs for all usecases mentioned in this thread, it should address the case in this issues description. That might look something like 👇 today.

version: 2
updates:
  - package-ecosystem: npm
    directories: 
      - "/"
      - "/__defaults"
    schedule:
      interval: daily
    allow:
      - dependency-type: all
carlincherry commented 5 months ago

Hi all 👋 , Dependabot PM here! Thank you for your suggestions and for contributing to the discussion. At this time, we won't be prioritizing this feature for the following reasons (thank you @landongrindheim for the summary above, to reiterate your comments):

However, for some potential solves for issues mentioned in this thread, check out our multi-directory public beta!

We appreciate your understanding and thank you again for your feedback!

lucasfcnunes commented 2 months ago

@prma85

Shouldn't it be something like the following?

# ...
update_configs:
  - <<: *DEFAULT
  # Also update the defaults
  - <<: *DEFAULT
    directory: "/__defaults"