Open Hoang-Minh opened 4 days ago
@Hoang-Minh I would recommend creating a new pipeline specifically for dependabot; You can have dependabot automatically run each day/week using a scheduled trigger. Here are some pipeline examples:
trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
always: true
branches:
include:
- main
batch: true
displayName: Weekly (midnight sunday)
pool:
name: Azure Pipelines
vmImage: ubuntu-latest
steps:
- task: dependabot@2
displayName: Run Dependabot
inputs:
# your config here...
trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
always: true
branches:
include:
- main
batch: true
displayName: Weekly (midnight sunday)
parameters:
- name: repositoryNames
displayName: 'Repository Names'
type: object
default:
- 'Repo1'
- 'Repo2'
- 'Repo3'
jobs:
- ${{ each repositoryName in parameters.repositoryNames }}:
- job: dependabot_${{lower(replace(repositoryName, ' ', ''))}}
displayName: Dependabot - ${{repositoryName}}
pool:
name: Azure Pipelines
vmImage: ubuntu-latest
steps:
- task: dependabot@2
displayName: Run Dependabot on ${{repositoryName}}
continueOnError: true
inputs:
targetRepositoryName: ${{repositoryName}}
# your config here...
Thanks @rhyskoedijk .
What's about the dependabot.yml ? Do I need to include that yml file in the repo ? Does it mean that I need 2 yml files in my repo right ?
version: 2
updates:
- package-ecosystem: 'nuget'
directory: '/'
target-branch: 'dev'
open-pull-requests-limit: 15
ignore:
- dependency-name: 'Microsoft.Extensions.Caching.SqlServer'
registries:
- azure_artifacts
schedule:
interval: weekly
# Check for npm updates on every Sundays
day: "sunday"
time: "09:00"
timezone: "America/Los_Angeles"
# Labels on pull requests for security and version updates
labels:
- "npm dependencies"
registries:
azure_artifacts:
type: "nuget-feed"
url: "https://xxx.pkgs.visualstudio.com/0497dd12-e7ca-49f7-999e-7f22d25e38c8/_packaging/TTCWebFeed/nuget/v3/index.json"
token: "PAT:<PAT>"
Yes. If you only have one repo, it's simplest to put both the pipeline and dependabot yml files together in the same repository. e.g.
/.azuredevops/dependabot.yml
(your dependabot config file)/.azuredevops/pipeline/run-dependabot.yml
(your DevOps pipeline file)You do not need to specify schedule
in your dependabot.yml
, this is always ignored by the DevOps extension; Instead, use schedules
in your run-dependabot.yml
pipeline so that DevOps manages the pipeline scheduling.
Thank you very much @rhyskoedijk !!!
This is not really a bug. It's more like a question that I have. I currently have an existing yml in a specific folder for CI build. Every time a PR (change) is checked in, we will trigger the CI build.
Now, how do I add or combine the yml for dependabot, considering that in the dependabot we have trigger set to none versus in the CI, we have trigger set to a specific branch ? Ideally, we only want to run the dependabot scan only one time a week. Is it achievable with the v2 dependabot ? Thank you.
azure-pipelines.yml
dependabot-pipelines.yml
dependabot.yml