Closed ViktorHofer closed 11 months ago
Can dependabot leverage private feeds (or feeds that require authentication)? I have recently discussed this with @danegsta about this specifically for the automatic updates of the dcp binaries, as well as the templates which will need to be re-packaged and shipped via the Aspire SDK Workload. Our discussion was that it should be doable to just use Arcade's dependency flow, since @danegsta found that it seems to be straight forward to use dependency flow even when you are not using Arcade to build.
Also, just dropping a note, this should eventually also cover adding dependency flow for dcp binaries and project templates.
Here is a full list of all of the packages that the repo depends on today which are not being automatically updated:
Can dependabot leverage private feeds (or feeds that require authentication)?
Looks like it can: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot
This should also include any updates to templates. For example, the templates now have a dependency on the R9 package Microsoft.Extensions.Http.Resilience, we should make sure this version is also updated each time there is a new version.
Dependabot is already enabled in repo settings for public dependencies.
I apparently don't have powers to make an access token for https://dev.azure.com/dnceng/internal feed. So waiting until Tues when we won't have a private feed anyway.
I was able to verify that dependabot can update a central package version file (ie <PackageVersion>
not <PackageReference Version..>
). We may be able to have a conventional dependabot configuration that just scans the whole tree
ignore:
anywayWhat I tried: https://github.com/dotnet/aspire/compare/main...danmoseley:aspire:dependabot (temporarily removed private feed to avoid error) and I was impressed that not only did it understand central package management but even updated the original property value: https://github.com/danmoseley/aspire/pull/2/files
I'm assuming DCP will use Arcade, otherwise dependabot will need a token to access their feed even after preview 1.
DCP is already using Arcade's dependency flow (not actual arcade for building, just the codeflow piece), and Aspire is already subscribed to automatically bumping the versions to latest using codeflow: https://github.com/dotnet/aspire/blob/05c40df7cf49cea33f3cedc39d6f5aabda6ba17d/eng/Version.Details.xml#L4-L31. The only thing that needs to be changed is that usvc repo needs to start pushing the packages to a public feed, and aspire needs to update its subscription.
Astra already depends on large set of packages (internal and external) and none of them are auto-updated: https://github.com/dotnet/astra/blob/main/eng/Versions.props.
Dependabot would be suitable to update the dependencies. Some of our partner repositories already do that: https://github.com/dotnet/msbuild/blob/main/eng/dependabot/dependabot.csproj
As none of the Astra dependencies are managed by Darc/Maestro, moving the versions from Versions.props into Directory.Packages.props could be sufficient.
cc @mitchdenny