Display release notes for private packages that are successfully upgraded by Dependabot #3053
Comments
|
I'm actually somewhat surprised that doesn't work, I'll look into why this doesn't work, and if it would be different for the GH native version of dependabot. cc @jasonrudolph would be nice if we support this when private registries land in the GH native version! |
|
@ntravis we just launched support for private registries in beta, would you ming adding the registries where those release notes are and see if it works? |
|
Hey guys, I'd like to share that we face this same problem at https://github.com/usabilla. As far as we debugged, both Let us know if there's something we can debug, or do, to help you with this issue. |
Changes since 7.7.4: https://github.com/npm/cli/blob/latest/CHANGELOG.md ## v7.10.0 (2021-04-15) ### FEATURES * [`f9b639eb6`](npm/cli@f9b639e) [#3052](npm/cli#3052) feat(bugs): fall back to email if provided ([@Yash-Singh1](https://github.com/Yash-Singh1)) * [`8c9e24778`](npm/cli@8c9e247) [#3055](npm/cli#3055) feat(version): add workspace support ([@wraithgar](https://github.com/wraithgar)) ### DEPENDENCIES * [`f1e6743a6`](npm/cli@f1e6743) `[email protected]` * feat(retrieve-tag): retrieve unannotated git tags * fix(retrieve-tag): use semver to look for semver * [`3b476a24c`](npm/cli@3b476a2) `@npmcl/[email protected]` * fix(git): do not use shell when calling git * [`dfcd0c1e2`](npm/cli@dfcd0c1) [#3069](npm/cli#3069) `[email protected]` ### DOCUMENTATION * [`90b61eda9`](npm/cli@90b61ed) [#3053](npm/cli#3053) fix(contributing.md): explicitely outline dep updates ([@darcyclarke](https://github.com/darcyclarke)) ## v7.9.0 (2021-04-08) ### FEATURES * [`1f3e88eba`](npm/cli@1f3e88e) [#3032](npm/cli#3032) feat(dist-tag): add workspace support ([@nlf](https://github.com/nlf)) * [`6e31df4e7`](npm/cli@6e31df4) [#3033](npm/cli#3033) feat(pack): add workspace support ([@wraithgar](https://github.com/wraithgar)) ### DEPENDENCIES * [`ba4f7fea8`](npm/cli@ba4f7fe) `[email protected]` ## v7.8.0 (2021-04-01) ### FEATURES * [`8bcc5d73f`](npm/cli@8bcc5d7) [#2972](npm/cli#2972) feat(workspaces): add repo and docs ([@wraithgar](https://github.com/wraithgar)) * [`ec520ce32`](npm/cli@ec520ce) [#2998](npm/cli#2998) feat(set-script): implement workspaces * [`32717a60e`](npm/cli@32717a6) [#3001](npm/cli#3001) feat(view): add workspace support ([@wraithgar](https://github.com/wraithgar)) * [`7b177e43f`](npm/cli@7b177e4) [#3014](npm/cli#3014) feat(config): add 'envExport' flag ([@isaacs](https://github.com/isaacs)) ### BUG FIXES * [`4c4252348`](npm/cli@4c42523) [#3016](npm/cli#3016) fix(usage): specify the key each time for multiples ([@isaacs](https://github.com/isaacs)) * [`9237d375b`](npm/cli@9237d37) [#3013](npm/cli#3013) fix(docs): add workspaces configuration ([@wraithgar](https://github.com/wraithgar)) * [`cb6eb0d20`](npm/cli@cb6eb0d) [#3015](npm/cli#3015) fix(ERESOLVE): better errors when current is missing ([@isaacs](https://github.com/isaacs)) ### DEPENDENCIES * [`61da39beb`](npm/cli@61da39b) `@npmcli/[email protected]` * feat(config): add support for envExport:false * [`fb095a708`](npm/cli@fb095a7) `@npmcli/[email protected]`: * [#2896](npm/cli#2896) Provide currentEdge in ERESOLVE if known, and address self-linking edge case. * Add/remove dependencies to/from workspaces when set, not root project * Only reify the portions of the dependency graph identified by the `workspace` configuration value. * Do not recursively `chown` the project root path. ## v7.7.6 (2021-03-29) ### BUG FIXES * [`9dd2ed518`](npm/cli@9dd2ed5) fix empty newline printed to stderr ([@ruyadorno](https://github.com/ruyadorno)) * [`9d391462a`](npm/cli@9d39146) [#2973](npm/cli#2973) fix spelling in workspaces.md file ([@sethomas](https://github.com/sethomas)) * [`4b100249a`](npm/cli@4b10024) [#2979](npm/cli#2979) change 'maxsockets' default value back to 15 ([@wallrat](https://github.com/wallrat)) ### DEPENDENCIES * [`a28f89572`](npm/cli@a28f895) `[email protected]` * fix reading `script-shell` config on `npm version` lifecycle scripts * [`03734c29e`](npm/cli@03734c2) `[email protected]` * fix packaging `bundledDependencies` * [`80ce2a019`](npm/cli@80ce2a0) `@npmcli/[email protected]` * fix error auditing package documents with missing dependencies ## v7.7.5 (2021-03-25) ### BUG FIXES * [`95ba87622`](npm/cli@95ba876) [#2949](npm/cli#2949) fix handling manual indexes in `npm help` ([@dmchurch](https://github.com/dmchurch)) * [`59cf37962`](npm/cli@59cf379) [#2958](npm/cli#2958) always set `npm.command` to canonical command name ([@isaacs](https://github.com/isaacs)) * [`1415b4bde`](npm/cli@1415b4b) [#2964](npm/cli#2964) fix(config): properly translate user-agent ([@wraithgar](https://github.com/wraithgar)) * [`59271936d`](npm/cli@5927193) [#2965](npm/cli#2965) fix(config): tie save-exact/save-prefix together ([@wraithgar](https://github.com/wraithgar)) ### TESTS * [`97b415287`](npm/cli@97b4152) [#2959](npm/cli#2959) add smoke tests ([@ruyadorno](https://github.com/ruyadorno))
|
Hey, looks like this one is fixed for now 🎉 This morning we received some internal updates for our packages, they contained the release notes 🙏🏻 (idk if this is per language, but if it is: PHP I'm talking about) |
|
@carusogabriel 🎉 this should work in github-native dependabot where we've made changes to how PR creation works with private registry credentials. There might be cases where we don't find the correct release notes but that should be per package. |
|
is there something additional that needs to be done to make this work? Updates as such work just fine for us, but we have also given access to private repositories explicitely as stated here just to be sure: However, we still do not see the same level of detail in our
Also note that the "See full diff in compare view" link only links to For comparison, this is the same library bump on the same repo that was done by
Also note that this is specifically for Ruby gems / Bundler, not sure if that makes a difference. Can someone please provide any pointers how to make the Github native |
|
I've gone through the process of directly giving dependabot access to python package repos in our org, but this doesn't seem like an easily sustainable option. Our PHP devs are creating new package repos every other day, so how are teams supposed to manage remembering to add that access every time? Will reply back here with results after a python package release happens. |
|
@ntravis any luck? @asciimike could you take another look please? We continue to see that the same library that is being bumped with dependabot and doesn't generate a proper PR description and in parallel dependabot-preview creates the same bump on another repo that wasn't migrated to Github native dependabot and it generates the description properly. So we're pretty sure it's not about how we have set up the library. I suspect it has either something to do with the (Github native) Dependabot configuration or there's a bug somewhere still. Either way we can't figure out so far how to fix it. |
|
no luck on my end. here's an example: on my repo, billboard, I have a private dependency fool-auth. I know that they recently updated to version six and had previously allowed access to the fool-auth repo (even though I'm not sure it is required but the wording is a bit ambiguous). We typically only publish release notes on github and do not codify them into a file or put them up in our package manager at this time. The new PR on billboard does not display anything related to the release notes from Github:
|
|
@asciimike can we reopen this issue to continue tracking this here or should we create a separate issue? |
|
I work with @maciejmakowski - if it helps, here's an offending dependabot.yml version: 2
registries:
rubygems-server-gem-fury-io-company:
type: rubygems-server
url: https://gem.fury.io/company
token: "${{secrets.RUBYGEMS_SERVER_GEM_FURY_IO_COMPANY_TOKEN}}"
updates:
- package-ecosystem: bundler
directory: "/"
schedule:
interval: daily
time: "07:00"
timezone: America/Los_Angeles
pull-request-branch-name:
separator: "-"
open-pull-requests-limit: 10
versioning-strategy: lockfile-only
registries:
- rubygems-server-gem-fury-io-company |
|
@dudo @maciejmakowski thanks for the info, we're looking into it now! |
|
For Dependabot to be able to fetch the CHANGELOG / release notes contents, it needs to know the source repo that contains this, for Bundler it'll hit the gem server API or download the gemspec and grab the @maciejmakowski or @dudo since you mention this worked in preview, my best guess is that GH native dependabot does not have access to the repo. Alternatively, the gemspec might not include the required details? Could you check the logs for that update (they should be in @ntravis the same goes for python, could you verify that the response for |
|
@jurre thanks for the pointers. I double-checked the logs of the latest run for the repo and that specific dependency update and I don't see any issues to get the access to the gem information in gemfury (see config sample that @dudo shared above). The job id referenced in the logs I was looking at is: Our gemspec includes the Also, just to clarify: Our gems (coming from gemfury) are set up pretty consistently in terms of gem meta-information and we see issues with the PR description details on all of them when dependabot creates the PR and we seem to be fine when dependabot-preview creates them. Please let us know if you have any pointers for what to fix should this be a configuration issue on our end. |
|
@jurre did you have a chance to look into this by any chance? |
@jurre hmm, it doesn't look like Nexus Repository Manager exposes a JSON endpoint but neither does pypi from just copy-pasta attempt. Do you have an example from pypi that I could try to translate to Nexus? |
^ is still my best guess here, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories If you could share the repo Dependabot is configured on and the repo of the dependency it's trying to update, that'd make it easier for me to check up on how it's set up. Feel free to go through support if these are sensitive. |
https://pypi.org/pypi/Django/json for example |
|
@jurre I have submitted a ticket for this. |
|
For Bundler, Hex and Python we don't yet support the private repository access feature: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#package-ecosystem In order to retrieve release notes from a private repo in those ecosystems you'll need to add a Then link it to any ecosystems that need access: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#registries |
|
@mctofu thank you for the additional information. Is there an ETA by when you will support it? We will try changing things according to the latest instructions and see whether this resolves the issue on a few selected repos. Doing it on all the repos will be significantly more work. As for instructions, I think it might be helpfu to emphasize this more in the PRs that Deploybot creates to migrate to from What's linked from there is the article and that does not seem to be directing people in the right direction either, as far as I understand. |
|
I don't generally like to give timelines (the ones we do give are on https://github.com/github/roadmap), but I'd put this in the "medium priority" camp: lower than the things directly referenced on the roadmap, but higher than most of the things labeled "feature request" in this repo. I'll see if there's a better way of clearing up confusion in the migration docs (e.g. pointing people to git registries vs repos). If things aren't working, feel free to re-open! |
|
I don't see NuGet (specifically GitHub Packages on a private org) mentioned in this thread. It seems to have the same problem: no release notes or commit log in PRs from Dependabot. I checked the following:
Which matches the following logic (I looked for the nuget equivalent of the dependabot-core/nuget/lib/dependabot/nuget/metadata_finder.rb Lines 19 to 22 in a35b58b Lastly, here's the Dependabot log if it helps (with Click to expandThe response of one of those ( |
|
@vweevers for debugging issues with private repo's and registries, it's usually easiest if you open a ticket via support, because that way we can reference the repo in question without worrying about exposing private data in a public forum. Based on what you described, my initial hunch would be that Dependabot has access to the private package, but not the private repository that backs it. So we are able to pull the latest version, but cannot access the repo to fetch metadata like release-notes from. I'd recommend try giving dependabot access to the repo (docs). If that doesn't work, would you mind opening an issue with GitHub Support so we can discuss it? |
|
I am facing the same issue mentioned here https://github.com/dhruv-test-org/test-app/pull/11 I created a test gem and repository so it's visible publicly, the gem is published on the github package registry if that makes a difference, though try as I might I cannot show the changelog nor the commit diff. I am using github native dependabot if that helps, would really appreciate some help figuring out how to fix this 😅 if it's possible. |
|
@dhruvCW did you give the user that the token |
|
It's my PAT so I do have read access, and Dependabot was given access via the org as well. The PAT had repo scope. For the metadata I have set the |
|
I think this should just be: That's what we have anyhow in all of our gems, and it appears to work fine. Disclaimer as well: We don't bother with Changelog. We purely rely on creating Github releases (which automatically also create tags) and those being parsed by Dependabot. |
I would love to do that too, I originally did set them up as you mentioned but it didn't seem to work, are you also using the github private registry ? or something else ? |
|
Yes, our Dependabot settings look pretty much the same as yours in terms of registries. |
|
Just created a new test gem (different name) same organisation. dependabot doesn't seem to even try and access the repository. the generated PR doesn't even matter if the gem repo is public or not. at this point I am extremely out of ideas. |
I did a search across issues and PRs looking for this sort of request (but I could have been using bad search terms). We use Dependabot to get notifications of both public and private packages, and it would be amazing if we could get the changelog feature that happens on public packages to work for our private ones. We typically publish release notes in a description on the particular release like so:
but then the resulting PR looks like this:
Looking at a PR for a public repo that uses releases:
It would be great if we could get that releases for our private repos since that is our primary method right now. If changelogs would be possible as an alternative or additive for teams that wanted to use it, I could champion that internally. So, the request is adding any and/or all of the various dropdowns (release notes, changelog, and commits) to private repo PRs.
Happy to clarify anything or provide more details.
The text was updated successfully, but these errors were encountered: