Leverage dependabot to update dependencies

[ViktorHofer]

Astra already depends on large set of packages (internal and external) and none of them are auto-updated: https://github.com/dotnet/astra/blob/main/eng/Versions.props.

Dependabot would be suitable to update the dependencies. Some of our partner repositories already do that: https://github.com/dotnet/msbuild/blob/main/eng/dependabot/dependabot.csproj

As none of the Astra dependencies are managed by Darc/Maestro, moving the versions from Versions.props into Directory.Packages.props could be sufficient.

cc @mitchdenny

[joperezr]

Can dependabot leverage private feeds (or feeds that require authentication)? I have recently discussed this with @danegsta about this specifically for the automatic updates of the dcp binaries, as well as the templates which will need to be re-packaged and shipped via the Aspire SDK Workload. Our discussion was that it should be doable to just use Arcade's dependency flow, since @danegsta found that it seems to be straight forward to use dependency flow even when you are not using Arcade to build.

[joperezr]

Also, just dropping a note, this should eventually also cover adding dependency flow for dcp binaries and project templates.

[joperezr]

Here is a full list of all of the packages that the repo depends on today which are not being automatically updated:

https://github.com/dotnet/astra/blob/423a3ed9224b2a088b67b1e0f63c06efe765edd1/Directory.Packages.props#L7-L77

[mitchdenny]

Can dependabot leverage private feeds (or feeds that require authentication)?

Looks like it can: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot

[joperezr]

This should also include any updates to templates. For example, the templates now have a dependency on the R9 package Microsoft.Extensions.Http.Resilience, we should make sure this version is also updated each time there is a new version.

[danmoseley]

Dependabot is already enabled in repo settings for public dependencies.

[danmoseley]

I apparently don't have powers to make an access token for https://dev.azure.com/dnceng/internal feed. So waiting until Tues when we won't have a private feed anyway.

I was able to verify that dependabot can update a central package version file (ie <PackageVersion> not <PackageReference Version..>). We may be able to have a conventional dependabot configuration that just scans the whole tree

• Maui does it in that conventional way https://github.com/dotnet/maui/blob/main/.github/dependabot.yml#L8
• MSbuild chose to extract just the things they wanted dependabot to touch: https://github.com/dotnet/msbuild/commit/85bbf397ce03159f8b37f503ac761c45bd3d0ced#diff-52cc55d60d91e826b8fe4b773f4ee868a6e1cd76f6da82771841395fe8a9c0ef .. that would mean importing the list into the directory.packages.props, which would need experiment -- it feels like this could potentially be achieved with ignore: anyway

What I tried: https://github.com/dotnet/aspire/compare/main...danmoseley:aspire:dependabot (temporarily removed private feed to avoid error) and I was impressed that not only did it understand central package management but even updated the original property value: https://github.com/danmoseley/aspire/pull/2/files

[danmoseley]

I'm assuming DCP will use Arcade, otherwise dependabot will need a token to access their feed even after preview 1.

[joperezr]

DCP is already using Arcade's dependency flow (not actual arcade for building, just the codeflow piece), and Aspire is already subscribed to automatically bumping the versions to latest using codeflow: https://github.com/dotnet/aspire/blob/05c40df7cf49cea33f3cedc39d6f5aabda6ba17d/eng/Version.Details.xml#L4-L31. The only thing that needs to be changed is that usvc repo needs to start pushing the packages to a public feed, and aspire needs to update its subscription.