I think it's a bug with dependabot at github, so have raised it as such with them.
>From what I can tell the .github/dependabot.yml is the configuration part but it also has an approval part to enable and disable under the projects settings. Under my fork's settings, dependabot is disabled, so it looks like this enable/disable doesn't actually do anything for forks, and it's purely triggered by the presence of the configuration file. I've tried with some of the apps that integrate with github, which I use for dependency management and automatic merging/rebasing. They only activate on the fork once I explicitly approve them. John On Sat, 15 Aug 2020 at 04:21, Gary Gregory <[email protected]> wrote: > > Typo: I think the way it works is that when you forked the Commons Lang > repo, you *copied* the whole repo of course including its .github folder > which means you therefore asked for the Dependabot to run since its > configuration file is there. > > On Fri, Aug 14, 2020 at 11:19 PM Gary Gregory <[email protected]> > wrote: > > > I think the way it works is that when you forked the Commons Lang repo, > > you the whole repo of course including its .github folder which means you > > therefore asked for the Dependabot to run since its configuration file is > > there. > > > > Obviously if you do not want Dependabot to run, then just disable it > > (remove the file) > > > > Gary > > > > > > On Fri, Aug 14, 2020 at 7:56 PM John Patrick <[email protected]> > > wrote: > > > >> Cheers for that Giles, > >> I read those emails as PR's raised at say > >> https://github.com/apache/commons-lang and dependabot, which I > >> understand. > >> I'm talking about my fork for commons-lang at > >> https://github.com/nhojpatrick/commons-lang. > >> > >> Dependabot appears to have been authorised against my fork without my > >> approval? > >> > >> If i visit > >> https://github.com/nhojpatrick/commons-lang/settings/security_analysis > >> dependabot is showing as disabled, but it appears to be > >> active. > >> > >> Hope that help explain I'm talking about my fork > >> (https://github.com/nhojpatrick/commons-lang) and my the forked > >> (https://github.com/apache/commons-lang) project. > >> > >> As I say, I totally understanding about getting emails regarding > >> dependabot as it's been authorised on the > >> https://github.com/apache/commons-lang project. > >> > >> John > >> > >> > >> On Fri, 14 Aug 2020 at 23:54, Gilles Sadowski <[email protected]> > >> wrote: > >> > > >> > Hi. > >> > > >> > Le sam. 15 août 2020 à 00:02, John Patrick <[email protected]> a > >> écrit : > >> > > > >> > > I've just noticed a load of pull requests that have been auto created > >> > > by dependabot, for changes to be merged into my forked version of > >> > > master. > >> > > > >> > > For commons-lang I've 20 PR's, commons-logging 10 PR's, I've not > >> > > checked all the other commons forks I've got. > >> > > > >> > > They are getting automatically closed once I sync the commons fork > >> > > into my forked repo. > >> > > > >> > > Has anyone else seen this issue? > >> > > >> > Oh, yes: > >> > https://markmail.org/message/2vutc4p3b3eqv73f > >> > https://markmail.org/message/6apxz6vrc75uq6ge > >> > > >> > Gilles > >> > > >> > > > >> > > It seems to be a change that happened about 20 days ago, as that is > >> > > when the first PR was raised. > >> > > > >> > > These changes also seem to be triggering cicd github actions, see > >> > > > >> https://github.com/nhojpatrick/commons-lang/runs/965399930?check_suite_focus=true > >> . > >> > > > >> > > John > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [email protected] > >> > For additional commands, e-mail: [email protected] > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
