workaround broken dependabot #2455
Conversation
dotnet-issue-labeler
bot
added
the
area-integrations
danmoseley
added
area-engineering-systems
and removed
area-integrations
|
aha -- a condition should do it! |
| @@ -1,4 +1,6 @@ | |||
| <Project> | |||
| <!-- Workaround https://github.com/dependabot/dependabot-core/issues/8490 --> | |||
| <Import Project="eng/Versions.props" Condition="'$(MajorVersion)' == ''"/> | |||
There was a problem hiding this comment.
Yeah, typically when doing this a new property would get added to Versions.props called something like VersionPropsAlreadyImported or something like that, and then that is what is checked here. Mainly in case MajorVersion gets defaulted somewhere else or moved which might cause issues in the future.
There was a problem hiding this comment.
Yeah, it's temporary and if that happens there'll be 200 warnings so we'll know!
There was a problem hiding this comment.
I'm fine with this as a workaround, but would you mind explaining a bit more about the original issue and why this fixes it if possible?
Also, were you able to do a "dry run" or something similar (not familiar with dependabot so not sure if its even possible) to ensure that this change does workaround the issue?
|
Good point, let me do this in my fork to check it does actually work. |
|
OK testing this in my fork, it gets further, and makes PR's. They're only in global.json (maybe there's nothign to update currently in the directory.packages.props?). @joperezr can you look at these PR's and check we want PR's like this? https://github.com/danmoseley/aspire/pulls after that, dependabot still ends up failing, with errors like this. with various package names. Nevertheless, I suspect it's now "useful" to merge this. |
|
scratch that, this is the real issue "Property 'NetCurrent' was not found.". Let me slap in another workaround and see. |
|
If I also add this other hack @joperezr is there value in the global.json PR's that it did create in my fork? If so, I suggest we merge this as is. It's low risk. If not, I suggest I close this and we wait for their workaround dependabot/dependabot-core#8490 (comment) |
bummer that the workaround isn't yet making the main dependencies we care about work. Regarding the global.json PRs that it does fix, IMO those are a bit less useful in the sense that these are tools that we use during our build, but not dependencies that get eventually deployed with user applications (as their version is only relevant when we build our repo). Those aren't really the primary reason why we'd want to setup dependabot. So my conclusion is that they would have some value, but just not the real value we are trying to get out from dependabot. Those tools still bugfix things, so I wouldn't discard the workaround in benefit of those PRs, my only concern would be about the potential of new tools affecting our build assets and not being able to catch those breaks during our build. |
|
OK I think there is some value and minimal risk in merging this for now just to get those PR's. Or happy to close. LMK |
This should work around dependabot/dependabot-core#8490 but it will create 232 warnings like
@joperezr do you know a way to disable these warnings centrally these days? If not, we can put this into another branch, and periodically set that to the default branch temporarily (so it's dependabot's target) and manually run dependabot, then merge any dependabot changes to main.. or something ...
Microsoft Reviewers: Open in CodeFlow