Dependabot integration

[utdemir]

Dependabot is an open-source SaaS which periodically checks for dependency updates and automatically sends PR's.

I think it will be a nice addition to Nix ecosystem if we teach Dependabot how to update Niv dependencies. I personally would love to have my hobby projects kept up-to-date (or get notified when something fails) without much effort.

The codebase is written in Ruby. The documentation for implementing a new "package manager" starts here. I am willing to (try to) implement this, if you are happy with it. Here is my implementation plan:

• Fetch nix/sources.json from the repository.
• For every key, use the spec to figure out the branch name and repository.
• Mark the branches pointing to a different rev as updates.

This requires re-implementing a bit of logic in Ruby; so it will need to be kept up-to-date, also it will be harder to change the format of sources.json. Dependabot already supports git_submodules, and I think I can borrow a bunch of code from there.

An alternative implementation approach would be:

• implement niv update --dry-run [PACKAGE] flag, which prints out a new spec for a package if there is an update.
• Implement niv show --machine-readable flag (should be kept backwards-compatible).
• Introduce niv dependency to Dependabot.
• Shell-out to niv at runtime on Dependabot to check updates.

The main disadvantage of this approach is that making Dependabot depend on niv. It'll be harder to get it merged, also it cause an even bigger maintenance burden to keep updating Dependabot with up-to-date Niv versions. Also, I feel like sources.json format is relatively stable and it's easier to use that rather than niv's shell interface.

Do you think this is a good idea? Would you prefer an another approach?

[nmattia]

Yes, that would be great! For inspiration, there's also : https://github.com/knl/niv-updater-action

After looking at the implementation, I realized that there's a lot of stuff that could be implemented in niv directly. If you get started on the dependabot implementation, don't hesitate to reach out regularly and point out what could be done in niv! (especially if that reduces the need to duplicate the logic in ruby)

[domenkozar]

That would be really lovely. See https://github.com/sgraf812/dependabot-core/issues for Haskell

[domenkozar]

Meanwhile see https://github.com/arianvp/nixos-stuff/blob/master/.github/workflows/update-dependencies.yml

I'll integrate that into https://github.com/nix-dot-dev/getting-started-nix-template

[nmattia]

Oh, that's interesting! https://github.com/arianvp/nixos-stuff/blob/master/.github/workflows/update-dependencies.yml

There's also this little gem: https://github.com/knl/niv-updater-action

I think both could be made simpler with some updates to niv, especially how to deals with github repo. I didn't drop the ball on this, though I was out for a while; I'll have a look as soon as I'm back to cruising speed.

[domenkozar]

I've simplified it a bit: https://github.com/nix-dot-dev/getting-started-nix-template/blob/master/.github/workflows/update-niv.yml

The major downside is that you need to specify personal access token for github as a secrets so it will trigger a CI build of the new PR.