search

tinglesoftware / dependabot-azure-devops

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com
MIT License
201 stars 66 forks source link

Dependabot PR includes changes from custom PRs - Need to exclude non-main branch changes #1427

Open ahmetgul93 opened 4 weeks ago

ahmetgul93 commented 4 weeks ago

Describe the bug

I would like Dependabot to only base its pull requests on the changes in the main branch and not include any changes from other open PRs or branches. This behavior is causing conflicts and making it difficult to review the dependencies independently from other feature or custom changes.

PR created by dependabot takes changes from other open PRs as well. I want dependabot to create PRs only based on MAIN. I have found rebase-strategy and set it disabled but it didn't work as well

Could you please help me how can I do this?

dependabot.yml;

version: 2
registries:
  azure-artifacts:
    type: nuget-feed
    key: "aaaa"
    url: "xxxxx"
    token: PAT:${{ TOKEN}}
updates:
  - package-ecosystem: "nuget"
    directories: [ '/aa/bb/*' ]
    allow:
      - dependency-name: "AA.BB"
    target-branch: main
    registries:
      - azure-artifacts
    schedule:
      interval: "daily"
    rebase-strategy: "disabled"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3
  - package-ecosystem: "nuget"
    directories: [ '/cc/dd/*' ]
    allow:
      - dependency-name: "AA.CC"
    target-branch: main
    registries:
      - azure-artifacts
     schedule:
      interval: "daily"
    rebase-strategy: "disabled"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3

azure devops pipeline;

stages:
  - stage: DependencyChecking
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        steps:
          - task: dependabot@2
            displayName: 'Dependabot'
            inputs:
              useUpdateScriptvNext: true
            env:
              TOKEN: $(System.AccessToken)
rhyskoedijk commented 3 weeks ago

@ahmetgul93 thanks for the report. could you please provide some more information on what you are seeing in your pull requests-- more specifically, a visualization of the branch history and commits that illustrates which commit the PR originates from and which commits you are not expecting to see in the PR?

By using target-branch: main, Dependabot should be using the latest commit on that branch; there shouldn't be any other commits from other branches.

It is possible that maybe this has something to do with how you are have multiple "nuget" package ecyosystems configured; To rule out that, does it behave as expected if only one "nuget" update config is present?

It would also be good to clarify exactly which version of the dependabot task you are using as the pipeline you pasted above has conflicting information. If you are using dependabot@2, you can't have useUpdateScriptvNext: true as that would be invalid configuration. Are you using dependabot@2 or dependabot@1?

ahmetgul93 commented 3 weeks ago

Thanks for response!

Things in red rectangle from developers commits in another branch however dependabot added these commits to its own branch. In other words, it takes other developers commits to its own branch. I wanted it to create a new PR with its commit. However, it copies developer commits to PR as well. Dependabots PR should be independent than developer commits

image

I also tried your suggestions. I removed useUpdateScriptvNext from previous version 1 implementation and also filtered out second nuget updater. But result is same. And I also want to have this 2 nuget updater.

My latest config I tried.

version: 2
registries:
  azure-artifacts:
    type: nuget-feed
    key: "aaaa"
    url: "xxxxx"
    token: PAT:${{ TOKEN}}
updates:
  - package-ecosystem: "nuget"
    directories: [ '/aa/bb/*' ]
    allow:
      - dependency-name: "AA.BB"
      - dependency-name: "XX.ZZ"
    target-branch: main
    registries:
      - azure-artifacts
    schedule:
      interval: "daily"
    commit-message:
      prefix: "test"
    open-pull-requests-limit: 3

Azure Devops pipeline; (I use version 2)

   stages:
  - stage: DependencyChecking
    jobs:
      - job: Dependabot
        displayName: 'Dependabot'
        steps:
          - task: dependabot@2
            displayName: 'Dependabot'
            env:
              TOKEN: $(System.AccessToken)

I have also tried with this rebase-strategy: "disabled". It didnt work as I expected.

ahmetgul93 commented 3 weeks ago

Any update about this? Thanks!

caglanurcetinn commented 1 week ago

Hey, I also got the same issue, have you managed to solve it ? @ahmetgul93

ahmetgul93 commented 1 week ago

@caglanurcetinn Couldn't handle it yet unfortunately.

caglanurcetinn commented 1 week ago

rhyskoedijk Did you have any chance to check this?

rhyskoedijk commented 5 days ago

@ahmetgul93 @caglanurcetinn I haven't got around to this yet, but hope to spend some time on it in the next few days; I haven't forgotten about it though.

rhyskoedijk commented 2 hours ago

I suspect this is caused by an issue introduced in https://github.com/tinglesoftware/dependabot-azure-devops/pull/1382. Once https://github.com/tinglesoftware/dependabot-azure-devops/pull/1478 is merged, it would be good to re-test this to see if it fixes this issue too.