[feature] dependabot command to bumpversion?

[lorengordon]

Had an idea... Sometimes when updating a dependency version, I find I also want to bump the version of my project to generate a release immediately. I like to use bumpversion to update the version in a config file .bumpversion.cfg, which a build system monitors for changes and then will handle release actions (tag the repo, etc).

I'm thinking it would be convenient if we could ask dependabot to handle the bumpversion... Something like:

@dependabot bumpversion patch

[feelepxyz]

@lorengordon don't think Dependabot should be running language specific scripts to release new versions. Looks like bumpversion is only for Python.

Also the current command interface wouldn't be ideal for this use case. You can only issue @dependabot commands from existing dependabot PRs that update some dependency so would have to wait for one of these PRs to release a new version of your library. I think this feature would require us to release a cli tool that helps with releases for all supported package managers.

Going to close this for now and revisit if we decide to investigate a cli version of dependabot. Let me know if I'm missing something here.

[greysteil]

Agree with @feelepxyz on this one - it would be rad, but we'd really be turning Dependabot into a more general CI if we did it, which would be a lot of work on our side.

Thanks for the suggestion, though!

[lorengordon]

Sorry, I meant that only as an example... bumpversion is written in python, but it just supports a syntax for matching a pattern in a file (or files), and incrementing that semantic version (it works fine for any language or repo). That's what I thought would be pretty cool to implement in dependabot...

[lorengordon]

You can only issue @dependabot commands from existing dependabot PRs that update some dependency so would have to wait for one of these PRs to release a new version of your library.

Yes, this is exactly what I was envisioning. Dependabot opens a PR to update a dependency. User reviews the PR and the updated dependency, and decides that it is worth releasing immediately as a new version and so comments @dependabot <pick your syntax for incrementing the version>

[feelepxyz]

@lorengordon thanks for clarifying! I like the idea but unfortunately not something we want to start supporting with Dependabot 😢

Have you looked into ways of automating new release from CI? This way you could use whichever tool does the job best for your language and set up a workflow that makes sense for your use case.

[lorengordon]

Of course, we already have CI actually create the release. The sticking point is the logic to codify when to release and what token to bump (major/minor/patch) in the version. There are usually pretty subjective elements to those considerations, and so marking the version is often a manual step. Generally, I've seen folks use labels on a PR, or a file, either of which are actually set manually and then read by the CI system. We chose to use a file, as it's easy to review in a PR. Considering dependabot already does semantic version comparison, edits files, and creates commits, I figured it would be a pretty easy add. But totally understand if it's not something you want to support.

[lorengordon]

@feelepxyz Here is an example PR from dependabot where I bumped the version myself:

• https://github.com/plus3it/terraform-aws-codecommit-flow-ci/pull/24

This of course involves fetching and checking out the dependabot branch, modifying the file, creating the commit, and pushing it to the remote. That's the part I was hoping to make easier with dependabot.

On the merge to master, we have travis-ci check the version to determine whether to release:

• https://github.com/plus3it/terraform-aws-codecommit-flow-ci/blob/master/.travis.yml#L30-L41
• https://travis-ci.com/plus3it/terraform-aws-codecommit-flow-ci/jobs/171167047

[feelepxyz]

Amazing, thanks for your detailed explanation!

We have been planning a bunch of improvements to the product for library maintainers so this could actually fit well around this.

Definitely up for exploring this more and might have some relevant news to share in the next month or two on how we could make this possible 😎

On Thu, 17 Jan 2019 at 21:12, Loren Gordon notifications@github.com wrote:

@feelepxyz https://github.com/feelepxyz Here is an example PR from dependabot where I bumped the version myself:

• plus3it/terraform-aws-codecommit-flow-ci#24 https://github.com/plus3it/terraform-aws-codecommit-flow-ci/pull/24

This of course involves checking out the dependabot branch, modifying the file, creating the commit, and pushing it to the remote. That's the part I was hoping to make easier with dependabot.

On the merge to master, we have travis-ci check the version to determine whether to release:

- https://github.com/plus3it/terraform-aws-codecommit-flow-ci/blob/master/.travis.yml#L30-L41

https://travis-ci.com/plus3it/terraform-aws-codecommit-flow-ci/jobs/171167047

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/dependabot/feedback/issues/333#issuecomment-455333724, or mute the thread https://github.com/notifications/unsubscribe-auth/AABOxVbe6nI9WZPVdryc7zPzX_Pa_bvbks5vEOdJgaJpZM4aF7S0 .

[ghost]

Not to resurrect old threads, but this would be an awesome feature, was it ever released?

[feelepxyz]

@mjhorninger sadly not 😢 we're investigating if we can run Dependabot on GitHub Actions and this could then be implemented as a custom action fairly easily. Keen to figure out ways to make Dependabot more customisable in general so our small team isn't the only blocker for new features.

[ffMathy]

This would have been awesome. A shame.