search

tinglesoftware / dependabot-azure-devops

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com
MIT License
190 stars 63 forks source link

[Question] How do I use the existing yml CI along with dependabot yml ? #1410

Open Hoang-Minh opened 4 days ago

Hoang-Minh commented 4 days ago

This is not really a bug. It's more like a question that I have. I currently have an existing yml in a specific folder for CI build. Every time a PR (change) is checked in, we will trigger the CI build.

Now, how do I add or combine the yml for dependabot, considering that in the dependabot we have trigger set to none versus in the CI, we have trigger set to a specific branch ? Ideally, we only want to run the dependabot scan only one time a week. Is it achievable with the v2 dependabot ? Thank you.

azure-pipelines.yml

# ASP.NET Core

# Build and test ASP.NET Core projects targeting .NET Core.
# Add steps that run tests, create a NuGet package, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/dotnet-core
---
variables:
  - name: buildConfiguration
    value: Release
  - name: agentPool
    "${{ if or(eq(variables['Build.SourceBranchName'], 'dev'), eq(variables['Build.SourceBranchName'], 'main'), eq(variables['Build.SourceBranchName'], 'dev-ttcdbtst')) }}":
      value: "TTC Servers"
    "${{ else }}":
      value: Azure Pipelines
  - name: rootPath
    value: "./../../../"
  - name: projectPath
    value: "./../"
  - name: unitTestPath
    value: "./../../Api.Test"
  - name: workingDirectory
    value: "src/Api/Build"
trigger:
  - main
  - dev  
  - feature/*
jobs:
  - job: null
    displayName: Build and Publish Artifacts
    pool:
      name: $(agentPool)
      vmImage: ubuntu-latest    
    steps:    
    - checkout: self
      fetchDepth: 0
    - task: UseDotNet@2
      displayName: 'Install .NET 8 SDK'
      inputs:
        packageType: 'sdk'
        version: '8.x'
    - task: Bash@3
      displayName: 'Check what account is running'
      inputs:
        targetType: 'inline'
        script: 'whoami'
        workingDirectory: $(workingDirectory)
    - task: Bash@3
      displayName: 'Install Cake.Tool'
      inputs:
        targetType: 'inline'
        script: 'dotnet tool install --global Cake.Tool | echo "Already installed"'
        workingDirectory: $(workingDirectory)
    - task: Bash@3
      displayName: 'Execute dotnet cake command'
      inputs:
        targetType: 'inline'
        script: 'dotnet cake --rootPath=$(rootPath) --projectPath=$(projectPath) --unitTestPath=$(unitTestPath)'
        workingDirectory: $(workingDirectory)
    - task: PublishBuildArtifacts@1
      displayName: 'Publish Build Artifacts'
      inputs:
        PathtoPublish: 'artifacts'
        ArtifactName: 'Artifact'
        publishLocation: 'Container'

dependabot-pipelines.yml

#inputs options: https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/extension/README.md
trigger: none
stages:
  - stage: CheckDependencies
    displayName: Check Dependencies
    jobs:
      - job: Dependabot
        displayName: Run Dependabot
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: dependabot@2
            displayName: Run Dependabot            
            inputs:
              setAutoComplete: true

dependabot.yml

version: 2
updates:
  - package-ecosystem: 'nuget'
    directory: '/'
    target-branch: 'dev'
    open-pull-requests-limit: 15
    ignore:
        - dependency-name: 'Microsoft.Extensions.Caching.SqlServer'
    registries:
      - azure_artifacts
    schedule:
      interval: weekly
      # Check for npm updates on every Sundays
      day: "sunday"
      time: "09:00"
      timezone: "America/Los_Angeles"    
    # Labels on pull requests for security and version updates
    labels:
      - "npm dependencies"
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://xxx.pkgs.visualstudio.com/0497dd12-e7ca-49f7-999e-7f22d25e38c8/_packaging/TTCWebFeed/nuget/v3/index.json"
    token: "PAT:<PAT>"
rhyskoedijk commented 4 days ago

@Hoang-Minh I would recommend creating a new pipeline specifically for dependabot; You can have dependabot automatically run each day/week using a scheduled trigger. Here are some pipeline examples:

Run dependabot weekly on the current repository only

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

pool:
  name: Azure Pipelines
  vmImage: ubuntu-latest
steps:
  - task: dependabot@2
    displayName: Run Dependabot
    inputs:
      # your config here...

Run dependabot weekly for multiple repositories

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

parameters:
  - name: repositoryNames
    displayName: 'Repository Names'
    type: object
    default:
      - 'Repo1'
      - 'Repo2'
      - 'Repo3'

jobs:
  - ${{ each repositoryName in parameters.repositoryNames }}:
    - job: dependabot_${{lower(replace(repositoryName, ' ', ''))}}
      displayName: Dependabot - ${{repositoryName}}
      pool:
        name: Azure Pipelines
        vmImage: ubuntu-latest
      steps:
        - task: dependabot@2
          displayName: Run Dependabot on ${{repositoryName}}
          continueOnError: true
          inputs:
            targetRepositoryName: ${{repositoryName}}
            # your config here...
Hoang-Minh commented 4 days ago

Thanks @rhyskoedijk .

What's about the dependabot.yml ? Do I need to include that yml file in the repo ? Does it mean that I need 2 yml files in my repo right ?

version: 2
updates:
  - package-ecosystem: 'nuget'
    directory: '/'
    target-branch: 'dev'
    open-pull-requests-limit: 15
    ignore:
        - dependency-name: 'Microsoft.Extensions.Caching.SqlServer'
    registries:
      - azure_artifacts
    schedule:
      interval: weekly
      # Check for npm updates on every Sundays
      day: "sunday"
      time: "09:00"
      timezone: "America/Los_Angeles"    
    # Labels on pull requests for security and version updates
    labels:
      - "npm dependencies"
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://xxx.pkgs.visualstudio.com/0497dd12-e7ca-49f7-999e-7f22d25e38c8/_packaging/TTCWebFeed/nuget/v3/index.json"
    token: "PAT:<PAT>"
rhyskoedijk commented 4 days ago

Yes. If you only have one repo, it's simplest to put both the pipeline and dependabot yml files together in the same repository. e.g.

You do not need to specify schedule in your dependabot.yml, this is always ignored by the DevOps extension; Instead, use schedules in your run-dependabot.yml pipeline so that DevOps manages the pipeline scheduling.

Hoang-Minh commented 4 days ago

Thank you very much @rhyskoedijk !!!