How to enable dependabot for Github actions' version updates
How to test in local dev environment
Clone the repo-tools repository locally.
Find the script
edx_repo_tools/dependabot_yml.py
to useThe script adds the
dependabot.yml
in.github
folder if it is not already present.If the configuration file already exists but doesn’t have
github-actions
ecosystem included in it then it appends newgithub-actions
ecosystem in the configuration file.To test it locally, the same repo-tools repository that has
.github
folder can be used.Activate the virtual environment of repo tools, install all dependencies
Move to the root of the test repo in which the script needs to be run
Then run the following command to test, it should add new
dependabot.yml
python PATH_TO_REPO_TOOLS_DIR/edx_repo_tools/dependabot_yml.py
How to run it for bulk repositories for using bulk job workflow
Create a list of the repositories which need the configuration to be updated to enable the
dependabot
checks.Go to Bulk Job Workflow to run the above
dependabot_yml
script on your desired repositories.Pass on the list of the repositories separated by comma like “edx-platform”, “terraform” etc
Pass the following console command in the script field.
add_dependabot_ecosystem
Pass
edx-repo-tools
as required packages to be installed in the parameters.To add new
reviewer
field in thedependabot github-actions
ecosystem, pass the following console command instead. It will add newreviewer
section in the config and override any existing reviewer if present already. (reviewer can be any valid name of github user, or the name of a team (team name should in the following formatorg-name/team-name
for exampleopenedx/arbi-bom
).add_dependabot_ecosystem --reviewer "openedx/arbi-bom"
Now triggering the job will run that script for all mentioned repositories one by one and create separate PRs for each repository.
See following screenshot for an example run of the bulk job.