search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.63k stars 993 forks source link

Support for Cake-Build Projects #733

Open gep13 opened 5 years ago

gep13 commented 5 years ago

Edit from the Dependabot team: This is the main tracking issue for adding support for Cake.

PR: https://github.com/dependabot/dependabot-core/pull/958

Related Issues: https://github.com/dependabot/dependabot-core/issues/733

It would be great if dependabot could support updating dependencies which are defined by people using Cake-Build (https://cakebuild.net/).

Cake is a build automation framework, that allows people to take a dependency on NuGet packages that are either an addin, tool or module. You can see examples of the types of dependency definitions here:

https://github.com/cake-contrib/Cake.Recipe/blob/develop/Cake.Recipe/Content/addins.cake#L5-L23 https://github.com/cake-contrib/Cake.Recipe/blob/develop/Cake.Recipe/Content/tools.cake#L5-L20 https://github.com/chocolatey/ChocolateyGUI/blob/develop/setup.cake#L1 https://github.com/chocolatey/ChocolateyGUI/blob/develop/setup.cake#L2

Notice, that there are different ways for these dependencies to be expressed, based on how the project is created.

Cake itself is also a dependency, which is normally defined in the tools/packages.config files, as shown here:

https://github.com/cake-contrib/Cake.Recipe/blob/develop/tools/packages.config

This is just a normal NuGet packages.config file, so this might already be supported in dependabot today.

We already have an attempt at doing something similar to this on a much smaller scale. For example this PR:

https://github.com/cake-contrib/Cake.Recipe/pull/263

Was created by our automated process.

Documentation on the pre-processor directives that can define these dependencies can be found here:

https://cakebuild.net/docs/fundamentals/preprocessor-directives

./cc @greysteil

gitfool commented 5 years ago

@greysteil I’d also love to have this. What’s involved to make it so? Would it be best done by extending the existing NuGet implementation, or would it be a separate implementation? 🤔

gep13 commented 5 years ago

@gitfool I had an email conversation with @greysteil about this at the time that I created this issue. Here is what was said...

@greysteil said... Sounds like we could add this to Dependabot as a new language. The place we’d need to add it is here and there’s an example of a PR that adds a new language here. I’m happy to help out if you’re keen (or if you have anyone who can write Ruby they could probably do it without much help), but am a little swamped for the next couple of weeks. Do you want to open an issue on dependabot core either way, and we can take it from there?

I don't know enough Ruby to help on this, but happy to review/test anything that you might come up with.

greysteil commented 5 years ago

Yep, what @gep13 said! I'm super busy at the moment (a couple of big things coming on Dependabot) but always happy to help out. If enough people want this I'll take it on myself when things calm down, too.

gitfool commented 5 years ago

@greysteil FWIW, I'm having a look around and some of the repo file names have colons (:) in them which are invalid file name characters on Windows:

$ git status
On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        deleted:    composer/spec/fixtures/packagist_responses/dependabot:dummy-pkg-a.json
        deleted:    composer/spec/fixtures/packagist_responses/doctrine:dbal.json
        deleted:    composer/spec/fixtures/packagist_responses/illuminate:console.json
        deleted:    composer/spec/fixtures/packagist_responses/illuminate:support.json
        deleted:    composer/spec/fixtures/packagist_responses/longman:telegram-bot.json
        deleted:    composer/spec/fixtures/packagist_responses/monolog:monolog.json
        deleted:    composer/spec/fixtures/packagist_responses/neos:flow.json
        deleted:    composer/spec/fixtures/packagist_responses/path_dep:path_dep.json
        deleted:    composer/spec/fixtures/packagist_responses/pear-pear.horde.org:horde_date.json
        deleted:    composer/spec/fixtures/packagist_responses/phpdocumentor:reflection-docblock.json
        deleted:    composer/spec/fixtures/packagist_responses/symfony:polyfill-mbstring.json
        deleted:    composer/spec/fixtures/packagist_responses/wpackagist-plugin:acf-to-rest-api.json

I'd prefer to use Windows Subsystem for Linux (WSL) for the Ruby environment while editing in Windows with Visual Studio Code, but then these file names will still cause me grief.

greysteil commented 5 years ago

I had no idea! Fixed in https://github.com/dependabot/dependabot-core/commit/4db144e884b53db3b386f905249f514e76950237.

gitfool commented 4 years ago

No, stalebot!

nils-a commented 3 years ago

@jacob-morgan @gitfool I saw that others created github-actions (ex. https://github.com/patrickjahns/dependabot-terraform-action) to "extend" dependabot in that way while waiting for the "real" implementation in dependabot.

Would that be a "temporary fix" while we're all waiting on this issue?