Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow array in target-branch #2511

Open
skjnldsv opened this issue Sep 8, 2020 · 9 comments
Open

Allow array in target-branch #2511

skjnldsv opened this issue Sep 8, 2020 · 9 comments
Labels
F: configuration-file Keep Exempt this from being marked by stalebot T: feature-request Requests for new features

Comments

@skjnldsv
Copy link

skjnldsv commented Sep 8, 2020
edited
Loading

That would prevent us to have lots of duplicate configs

- package-ecosystem: npm
  directory: "/"
  schedule:
    interval: weekly
    day: saturday
    time: "03:00"
    timezone: Europe/Paris
  target-branch:
    - stable19
    - stable18
    - stable17
  labels:
    - "3. to review"
    - "feature: dependencies"
@skjnldsv skjnldsv added the T: feature-request Requests for new features label Sep 8, 2020
@skjnldsv skjnldsv mentioned this issue Sep 8, 2020
Closed
@lluiscampos lluiscampos mentioned this issue Oct 17, 2020
Merged
@jkonecny12
Copy link

jkonecny12 commented May 12, 2021
edited
Loading

That would be a great help especially for github-actions ecosystem. Without that, you cover only the main branch which doesn't help much because you are still using the outdated GitHub action versions in the other branches.

This was referenced May 26, 2021
Closed
Merged
@Y-LyN-10
Copy link

Y-LyN-10 commented Jun 17, 2021
edited
Loading

We are supporting multiple release lines for our package and it would be great to configure Dependabot to open PRs into each of these major branches (and checkout from the same branches).

@skjnldsv skjnldsv mentioned this issue Jun 21, 2021
Merged
@jablko
Copy link

jablko commented Jul 31, 2021

I wish it supported glob patterns, like Actions workflow on.<push|pull_request>.<branches|tags>, e.g.

on:
  push:
    branches:    
      - releases/**

@Hackwar
Copy link

Hackwar commented Apr 23, 2022

This would be of greate benefit for us as well. The Joomla project has somewhere around 200 repos, a large part of which has branches for 2 major development lines and each with its own dependencies. The limitation to only be able to check one branches dependencies is the reason we currently aren't using it. Especially since it seems the feature to support more than one branch was already part of dependabot before it was aquired by github. It would be really awesome for us if this would be adopted again.

@kaptcha0
Copy link

Any update on feature?

@mildred
Copy link

mildred commented Jun 27, 2022

I believe the original issue does not describe correctly the problem. target-branch is the branch pull requests are made against, it's not the branch that is watched for its dependencies. The branch watched is the default branch configured in GitHub that also serves as the default branch to pull request against.

Instead, I believe the author wants to have a configurable watch-branch possibly watching multiple branches.

I´d need that feature too. Currently, I set the default branch to the production branch iN GitHub but the problem is that b default pull requests are created against production and not against develop which is very annoying and might makes us merge things in production instead of develop.

@skjnldsv
Copy link
Author

skjnldsv commented Jun 28, 2022
edited
Loading

@mildred Not really https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch

By default, Dependabot checks for manifest files on the default branch and raises pull requests for version updates against this branch. Use target-branch to specify a different branch for manifest files and for pull requests. When you use this option, the settings for this package manager will no longer affect any pull requests raised for security updates.

target-branch is for both the manifest files and the pull request

@noorul
Copy link
Contributor

noorul commented Jul 6, 2022

Is the target branch specific to GitHub dependabot? I was wondering how one can configure this as part of dependabot-core?

@nyetwurk
Copy link

nyetwurk commented Nov 6, 2022

Any progress on this?

@teleivo teleivo mentioned this issue Nov 16, 2022
Merged
@megglos megglos mentioned this issue Feb 7, 2023
Merged
ghost pushed a commit to camunda/camunda that referenced this issue Feb 13, 2023
@megglos
merge: #11563
87631d8 
11563: chore(dependabot): patch dependency updates for stable branches r=megglos a=megglos

## Description

This automates dependency updates for stable branches with dependabot, by only allowing PRs to be created for patch updates.

It's unfortunate that dependabot does not yet support patterns and/or multiple target-branches, see this issue dependabot/dependabot-core#2511 . Thus we have to duplicate the config for every supported stable branch in the meantime.

This would thus require a follow-up to be reflected in the release process for minor releases (add new config, remove out of support branches).

Still I think it's worth the effort right now to automate eliminating vulnerabilities for which patched versions already exist. Ultimately preventing support effort caused by customers performing vulnerability analytics and raising issues like SEC-238.

## Related issues

relates to #10553

Co-authored-by: Meggle (Sebastian Bathke) <[email protected]>
This was referenced Mar 22, 2023
Open
Merged
@humblec humblec mentioned this issue Jun 14, 2023
Closed
svyatonik added a commit to paritytech/parity-bridges-common that referenced this issue Aug 23, 2023
@svyatonik
no, target-branch can't be array (dependabot/dependabot-core#2159 and d…
91b1c21 
…ependabot/dependabot-core#2511) - let's try duplication
@svyatonik svyatonik mentioned this issue Aug 23, 2023
Merged
svyatonik added a commit to paritytech/parity-bridges-common that referenced this issue Sep 5, 2023
@svyatonik
Try dependabot for multiple branches (#2370)
2bf361c 
* check if dependabot allows multiple "target-branch" values

* no, target-branch can't be array (dependabot/dependabot-core#2159 and dependabot/dependabot-core#2511) - let's try duplication
chenbh added a commit to buildpacks-community/kpack that referenced this issue Nov 22, 2023
@chenbh
get dependabot to watch the release/** branches
104e318 
annoying that they currently don't support glob patterns or arrays
(dependabot/dependabot-core#2511)

Signed-off-by: Bohan Chen <[email protected]>
@jonjanego jonjanego added the Keep Exempt this from being marked by stalebot label May 2, 2024
bkontur pushed a commit to paritytech/parity-bridges-common that referenced this issue May 7, 2024
@svyatonik @bkontur
Try dependabot for multiple branches (#2370)
1f1a106 
* check if dependabot allows multiple "target-branch" values

* no, target-branch can't be array (dependabot/dependabot-core#2159 and dependabot/dependabot-core#2511) - let's try duplication
@tuminoid tuminoid mentioned this issue May 17, 2024
Merged
@SergeyKanzhelev SergeyKanzhelev mentioned this issue Nov 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
F: configuration-file Keep Exempt this from being marked by stalebot T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
12 participants
@mildred @jablko @noorul @Hackwar @abdulapopoola @nyetwurk @jonjanego @jkonecny12 @Y-LyN-10 @skjnldsv @kaptcha0 and others