Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot commit config include: "scope" output explainer #33996

Closed
1 task done
janbrasna opened this issue Jul 16, 2024 · 5 comments · Fixed by #34149
Closed
1 task done

Dependabot commit config include: "scope" output explainer #33996

janbrasna opened this issue Jul 16, 2024 · 5 comments · Fixed by #34149
Labels
code security Content related to code security content This issue or pull request belongs to the Docs Content team help wanted Anyone is welcome to open a pull request to fix this issue SME reviewed An SME has reviewed this issue/PR

Comments

@janbrasna
Copy link
Contributor

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message

What part(s) of the article would you like to see updated?

include: "scope" specifies that any prefix is followed by a list of the dependencies updated in the commit.

There's nowhere a description what this "list of the dependencies updated" is, see #18302 (comment) — only with trial & error or checking the source at https://github.com/dependabot/dependabot-core/blob/3147bb1cd5ea7b5dd3835f0758e42e229ecf8245/common/lib/dependabot/pull_request_creator/pr_name_prefixer.rb#L164-L166:

      def scope
        dependencies.any?(&:production?) ? "deps" : "deps-dev"
      end

it's obvious it's only one of these two hard-coded strings (probably chosen from some angular1/2 habits of conventional commits where maybe these exact "token" values have a meaning?), but it's not explained in the docs these would be the only strings added.

Additional information

My additional issue would be that pip is being mentioned as supporting scopes, so somehow Dependabot should be able to select prod vs. dev scopes, but I wasn't able to find out how (as the requirements txt/in files can be named pretty arbitrarily…)
@janbrasna janbrasna added the content This issue or pull request belongs to the Docs Content team label Jul 16, 2024
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jul 16, 2024
@nguyenalex836 nguyenalex836 added code security Content related to code security waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Jul 17, 2024
@nguyenalex836
Copy link
Contributor

@janbrasna Thanks so much for opening an issue! I'll get this triaged for review ✨

@felicitymay felicitymay added needs SME This proposal needs review from a subject matter expert and removed waiting for review Issue/PR is waiting for a writer's review labels Jul 19, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

@Czarna0000

This comment was marked as spam.

Sign in to view
@Czarna0000

This comment was marked as spam.

Sign in to view
@nguyenalex836 nguyenalex836 added SME reviewed An SME has reviewed this issue/PR help wanted Anyone is welcome to open a pull request to fix this issue and removed needs SME This proposal needs review from a subject matter expert labels Jul 30, 2024
@nguyenalex836
Copy link
Contributor

@janbrasna Thank you for your patience while our SME team reviewed!

it's obvious it's only one of these two hard-coded strings (probably chosen from some angular1/2 habits of conventional commits where maybe these exact "token" values have a meaning?), but it's not explained in the docs these would be the only strings added.

The team agreed with you here, and would welcome an update to doc stating the only two values possible are those listed in the code you referenced 💛

My additional issue would be that pip is being mentioned as supporting scopes, so somehow Dependabot should be able to select prod vs. dev scopes, but I wasn't able to find out how (as the requirements txt/in files can be named pretty arbitrarily…)

The team agrees with you here as well, stating the confusion here is that pip is a package manager that doesn’t support dev dependencies, they place all dependencies in a requirements.txt file. However we refer to all Python package managers (pip-compile, poetry, pipenv) as pip. Some of those do support dev dependencies, so the example is understandably misleading.

We would welcome an update removing the mention of pip and instead reference another ecosystem that always has dev dependency support (npm) 💛

I've added the help wanted label so that you, or anyone else, may submit a PR with these updates. Thank you!

@gagan-bhullar-tech gagan-bhullar-tech mentioned this issue Jul 30, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code security Content related to code security content This issue or pull request belongs to the Docs Content team help wanted Anyone is welcome to open a pull request to fix this issue SME reviewed An SME has reviewed this issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: dependabot commit config gagan-bhullar-tech/docs
4 participants
@janbrasna @felicitymay @Czarna0000 @nguyenalex836