Support multiple gemfiles

[greysteil]

From @deivid-rodriguez on November 19, 2017 18:44

Some projects use multiple gemfiles. The main use case I know for this is to be able to test libraries against different major versions of dependencies.

Does dependabot support this kind of setups?

Copied from original issue: dependabot/feedback#51

[greysteil]

Slightly absurdly, the answer is "yes on the backend, no on the frontend". We've never figured out a good way to display information about which directory (or files) within a project an update setup is targeting, so while the backend supports have multiple update setups of the same language for the same project, there's no way to add them in the frontend.

If you've got a particular repo in mind, let me know and I'll take a look at whether I can get things set up manually on our side.

[greysteil]

From @deivid-rodriguez on November 21, 2017 0:5

Slightly absurdly, the answer is "yes on the backend, no on the frontend". We've never figured out a good way to display information about which directory (or files) within a project an update setup is targeting, so while the backend supports have multiple update setups of the same language for the same project, there's no way to add them in the frontend.

I think mentioning the specific gemfile being updated in the description & body of PR's could be enough? Like "Bump <gem_name> from <old_version> to <new_version> in <path_to_gemfile>"?

If you've got a particular repo in mind, let me know and I'll take a look at whether I can get things set up manually on our side.

Yes, this one: https://github.com/activeadmin/activeadmin!

Dependabot would need to open PR's to keep the gemfiles/rails_{42,50,21}.gemfile up to date automatically. We're not currently committing the lock files to version control, but I think we can change that if we can get our dependencies handled automatically in exchange :)

[greysteil]

OK, that links in with the work I'm doing on https://github.com/dependabot/feedback/issues/27 and #135 - will take a few days but I'll have something for you relatively soon. And I'd love to have Dependabot running on https://github.com/activeadmin/activeadmin so doubly motivated to get it done!

[greysteil]

From @deivid-rodriguez on November 21, 2017 0:17

Thanks @greysteil, let me know if you need anything from our side! ❤️

[greysteil]

@deivid-rodriguez - I've been thinking about this one for a bit:

• I don't yet have a good solution for Dependabot updating each of the gemfiles/rails_{42,50,21}.gemfile files. Fundamentally, the problem is that Dependabot doesn't have a way of saying "only update the dependency within this range", which is what you'd want for those. I feel like a good solution is tantalisingly close, but I'm not making much progress on it.
• In the meantime, I do have a solution for running Dependabot on repos like this in general. I've just pushed this change that means Dependabot could run on the activeadmin gemspec and the Gemfile imported by each of gemfiles/rails_{42,50,21}.gemfile without any bother. That would mean you'll get a PR from Dependabot if/when the requirements in the gemspec don't allow the latest version of a sub-dependency, which should be handy when Rails 5.2 is released, for example.

[greysteil]

From @deivid-rodriguez on November 30, 2017 14:54

👋 @greysteil!

So if I'm understanding this right, connecting @dependabot at this point would mean getting automatic updates for Gemfile and activeadmin.gemspec, but not yet for gemfiles/rails_{42,50,51}, right? If so, sounds like a start! :)

[greysteil]

Yep, that's exactly right 🙂

[greysteil]

From @deivid-rodriguez on November 30, 2017 15:1

Nice! I'll propose it to the team then. Definitely a 👍 from me! :)

[greysteil]

From @deivid-rodriguez on January 25, 2018 1:2

@greysteil Sorry I never updated this. The other activeadmin collaborators (who are more actively collaborating than me) had no interest on adding this, so that's why we didn't add it.

Hopefully the changes you added will be useful to other projects, and I'll be able to convince AA folks one day :)

[greysteil]

No worries - it was useful feedback regardless!

[deivid-rodriguez]

@greysteil I'm reconsidering this again, and I'm thinking... Since you can currently choose the root folder for your repo... Maybe having a structure like this and having separate checks with a different root for each Gemfile would work?

gemfiles/
  rails50/
    Gemfile
    Gemfile.lock
  rails51/
    Gemfile
    Gemfile.lock

[deivid-rodriguez]

Tried the idea on my activeadmin fork. It kind of worked, but since the Gemfile.common file is shared between all gemfiles, PRs bumping dependencies on that file for a specific gemfile will get it out of sync with the other gemfiles. I guess we could remove the Gemfile.common file and repeat all common dependencies on every gemfile.

[jhirbour]

Have there been updates on this? I have Gem with multiple Gemfiles that I'm trying to setup on GH.

I've setup the Gemfiles like this in the repo, but haven't been able to get dependabot do scan them all.

╰ $ cat Gemfile
source 'https://rubygems.org'

gem 'rails', '~> 5.2.0'

require_relative 'gemfiles/common_gems'

# this is defined in common_gems.rb
# def source_common_gems!
#   source 'https://rubygems.myorg.org/private' do
#     gem 'foo'
#   end
# end

source_common_gems!

gemspec
$ ls gemfiles*
common_gems.rb    rails-5-0.gemfile rails-5-1.gemfile rails-5-2.gemfile rails-6-0.gemfile

[deivid-rodriguez]

We ended up going with the solution I proposed earlier for activeadmin, and it has worked fine for us since our dependencies are essentially automanaged now. It's quite noisy though, it'd be good to group the updates of the same dependency accross multiple gemfiles together. But it works for me!