We use dependabot-azure-devops by tinglesoftare to track updates of our dependencies and create pull requests automatically.
The azure devops pipeline is rather straigh forward:
trigger:
- master
pool:
vmImage: ubuntu-latest
steps:
- task: dependabot@1
displayName: 'Dependabot with default parameters'
And we have this dependabot.yml stored in .azuredevops\dependabot.yml
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
registries:
{feedname}:
type: nuget-feed
url: https://pkgs.dev.azure.com/{confidential}/_packaging/{feedname}/nuget/v3/index.json
token: PAT:${{ PatInternalFeed }}
updates:
- package-ecosystem: "nuget"
directories:
- "/" # Location of package manifests
registries:
- {feedname}
schedule:
interval: "weekly"
time: "02:00"
open-pull-requests-limit: 10
commit-message:
prefix: "dependabot"
prefix-development: "dependabot"
include: "scope-and-version"
separator: "-"
groups:
shared:
patterns:
- "*"
My understanding of the dependabot-groups documentation is that currently all updates should be grouped together, regardless of the semantic version. Unfortunately, this configuration leads to multiple pull requests for each patch-version dependency. Am I missing something, which needs to configured differently for dependabot on azure devops? Also the commit-message part of the configuration does not seem to have any effect on the created PRs.
I got it working thanks to the input from @Miao Tian-MSFT:
- task: dependabot@1
displayName: 'Run Dependabot'
input:
useUpdateScriptvNext: true # this line is needed for grouping
Solution was provided on the Git-Hub page of Dependabot for Azure DevOps.