Re: Re: Dependabot-like solution for Apache projects
The Apache git repo must be mirrored from Apache to GitHub, for example https://github.com/apache/commons-io, then you add a .github folder and files (see above link). Gary On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney wrote: > Thanks Gary and Sebb. > How do I turn dependabot on? Last time I tried I was informed that due to > the program requiring write permissions to the repository, it wasn’t > possible… > This policy must have changed… > Thanks for any info. > lewismc > > On 2021/08/29 14:42:00 Gary Gregory wrote: > > Most of Apache Common's components' are happy users of Dependabot, which > is > > used on our GitHub mirrored repositories. > > > > Gary > > > > > > On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney > wrote: > > > > > Hi builds@, > > > I was advised to ask my question here instead of general@incubator. > > > Thanks for any feedback > > > > > > > I understand that we cannot use automated tooling, specifically > Dependbot > > > ( > > > > https://dependabot.com/) because it requests write access to the ASF > > > > project source code. > > > > I have found this functionality to be really useful and wondered if > there > > > > are any suggestions out there for automating the dependency > management > > > > workflow? > > > > Thanks for any feedback. > > > > lewismc > > > -- > > > http://home.apache.org/~lewismc/ > > > http://people.apache.org/keys/committer/lewismc > > > > > >
Re: Dependabot-like solution for Apache projects
We still do not allow dependabot to write to repos. There is a way to receive the dependabot alerts via email, but no write access to the repo. > On Aug 30, 2021, at 9:50 AM, Jarek Potiuk wrote: > > I believe that changed when Github bought dependabot and it become > "embedded" in GitHub soon after: https://dependabot.com/blog/hello-github/ > > J. > > > On Mon, Aug 30, 2021 at 3:43 PM Lewis John McGibbney > wrote: > >> Thanks Gary and Sebb. >> How do I turn dependabot on? Last time I tried I was informed that due to >> the program requiring write permissions to the repository, it wasn’t >> possible… >> This policy must have changed… >> Thanks for any info. >> lewismc >> >> On 2021/08/29 14:42:00 Gary Gregory wrote: >>> Most of Apache Common's components' are happy users of Dependabot, which >> is >>> used on our GitHub mirrored repositories. >>> >>> Gary >>> >>> >>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney >> wrote: >>> Hi builds@, I was advised to ask my question here instead of general@incubator. Thanks for any feedback > I understand that we cannot use automated tooling, specifically >> Dependbot ( > https://dependabot.com/) because it requests write access to the ASF > project source code. > I have found this functionality to be really useful and wondered if >> there > are any suggestions out there for automating the dependency >> management > workflow? > Thanks for any feedback. > lewismc -- http://home.apache.org/~lewismc/ http://people.apache.org/keys/committer/lewismc >>> >>
Re: Re: Dependabot-like solution for Apache projects
I believe that changed when Github bought dependabot and it become "embedded" in GitHub soon after: https://dependabot.com/blog/hello-github/ J. On Mon, Aug 30, 2021 at 3:43 PM Lewis John McGibbney wrote: > Thanks Gary and Sebb. > How do I turn dependabot on? Last time I tried I was informed that due to > the program requiring write permissions to the repository, it wasn’t > possible… > This policy must have changed… > Thanks for any info. > lewismc > > On 2021/08/29 14:42:00 Gary Gregory wrote: > > Most of Apache Common's components' are happy users of Dependabot, which > is > > used on our GitHub mirrored repositories. > > > > Gary > > > > > > On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney > wrote: > > > > > Hi builds@, > > > I was advised to ask my question here instead of general@incubator. > > > Thanks for any feedback > > > > > > > I understand that we cannot use automated tooling, specifically > Dependbot > > > ( > > > > https://dependabot.com/) because it requests write access to the ASF > > > > project source code. > > > > I have found this functionality to be really useful and wondered if > there > > > > are any suggestions out there for automating the dependency > management > > > > workflow? > > > > Thanks for any feedback. > > > > lewismc > > > -- > > > http://home.apache.org/~lewismc/ > > > http://people.apache.org/keys/committer/lewismc > > > > > >
Re: Re: Dependabot-like solution for Apache projects
Thanks Gary and Sebb. How do I turn dependabot on? Last time I tried I was informed that due to the program requiring write permissions to the repository, it wasn’t possible… This policy must have changed… Thanks for any info. lewismc On 2021/08/29 14:42:00 Gary Gregory wrote: > Most of Apache Common's components' are happy users of Dependabot, which is > used on our GitHub mirrored repositories. > > Gary > > > On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney wrote: > > > Hi builds@, > > I was advised to ask my question here instead of general@incubator. > > Thanks for any feedback > > > > > I understand that we cannot use automated tooling, specifically Dependbot > > ( > > > https://dependabot.com/) because it requests write access to the ASF > > > project source code. > > > I have found this functionality to be really useful and wondered if there > > > are any suggestions out there for automating the dependency management > > > workflow? > > > Thanks for any feedback. > > > lewismc > > -- > > http://home.apache.org/~lewismc/ > > http://people.apache.org/keys/committer/lewismc > > >