Support multiple lock files for Bundler

[paulsturgess]

The BootBoot gem makes it very easy to run tests against against future versions of Rails.

When running bundle install it produces a Gemfile_next.lock alongside the usual Gemfile.lock. At the moment Dependabot only checks in the Gemfile.lock and I guess it ignores the Gemfile_next.lock as this is a non-standard file. The result is an error is raised when the CI attempts run bundler before running the tests.

Here's an example of the error output:

Using bundler 2.0.2
Installed plugin bootboot

You are trying to install in deployment mode after changing
your Gemfile. Run `bundle install` elsewhere and add the
updated Gemfile_next.lock to version control.

The dependencies in your gemfile changed
You have added to the Gemfile:
* activeadmin (~> 2.3.1)
You have deleted from the Gemfile:
* activeadmin (~> 2.2.0)

The command "eval bundle install --jobs=3 --retry=3 --deployment --path=${BUNDLE_PATH:-vendor/bundle} " failed.

It would be great if there was some way to specify any custom lock files (or maybe just any non-standard output) that should be committed by Dependabot. Does this sound like a sane idea?

[feelepxyz]

@paulsturgess thanks for your suggestion! We don't currently support this filename but sounds like we should support Gemfile* and Gemfile*.lock glob pattern when fetching these files.

We're currently have the next six months planned out scaling Dependabot at GitHub so unfortunately don't have capacity to take on any new features while we complete this roll out.

[paulsturgess]

OK cool thanks for the response. If I was to open a PR would you consider it? I'm not exactly sure where I'd go to do that, if you have any pointers on accepting contributions please let me know!

[feelepxyz]

@paulsturgess for sure happy to review any PR! 😍 You'd want to start here to support fetching multiple Gemfiles and Gemfile.locks:

dependabot-core/bundler/lib/dependabot/bundler/file_fetcher.rb

Lines 65 to 73 in b8acc04

	def gemfile
	@gemfile ||= fetch_file_if_present("gems.rb") ||
	fetch_file_if_present("Gemfile")
	end
	def lockfile
	@lockfile ||= fetch_file_if_present("gems.locked") ||
	fetch_file_if_present("Gemfile.lock")
	end

(similar to how we fetch multiple gemspecs).

I'm not sure how much would break if we started fetching multiple Gemfiles but shouldn't be too crazy as we do similar things for other package managers, e.g. Python: https://github.com/dependabot/dependabot-core/blob/master/python/lib/dependabot/python/file_fetcher.rb#L39

[eliotsykes]

Is there an existing way to support multiple Gemfiles with dependabot? For example, if each Gemfile/.lock was put in a different directory with the standard Gemfile and Gemfile.lock file names, would dependabot's directory config option support this?

app/
  - Gemfile
  - Gemfile.lock

  # Separate app/gemfile_next/ directory
  # to hold other Gemfile and Gemfile.lock
  - gemfile_next/
    - Gemfile
    - Gemfile.lock

[feelepxyz]

Is there an existing way to support multiple Gemfiles with dependabot? For example, if each Gemfile/.lock was put in a different directory with the standard Gemfile and Gemfile.lock file names, would dependabot's directory config option support this?

@eliotsykes yep this would work!

[JacobEvelyn]

Is there an existing way to support multiple Gemfiles with dependabot? ...

yep this would work!

@feelepxyz this isn't working for me. I made a test repo with two Gemfiles (one in the root and one in the .overcommit directory), and set them both in the directory config option in .dependabot/config.yml and I get this Dependabot error:

The property '#/update_configs/0/directory' of type array did not match the following type: string

It seems only one directory can be used? Or am I missing something?

[feelepxyz]

@JacobEvelyn you'll need to create a new update config entry for each directory:

version: 1
update_configs:
  - package_manager: "ruby:bundler"
    directory: "/"
    update_schedule: "live"
  - package_manager: "ruby:bundler"
    directory: "/.overcommit"
    update_schedule: "live"

[JacobEvelyn]

Ah perfect, looks like that works!

[infin8x]

Looks like you've got this working via multiple update_configs, so closing for now.

[ashkulz]

@infin8x it doesn't work for us, see my latest comment in #2231

[davidwessman]

I solved this problem by adding a Github Action workflow which updates Gemfile.next.lock everytime Dependabot updates Gemfile.lock. It does not have as nice update logic as Dependabot but help keeping the Gemfile.next deployable!

I wrote it up in a blog post:
https://wessman.co/rails-dual-boot-with-dependabot

[davidwessman]

@infin8x Can we open up this issue again?
Now my solution and my tests fail since the change to only read-permissions from the 1st of March.
https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

Or should I create a new PR issue?

[infin8x]

Unfortunately I'm not on the Dependabot team anymore. @hmarr or @feelepxyz may be able to get you in the right direction.