Third party write access to code repositories is expressly forbidden by Foundation policy:
https://infra.apache.org/repository-access.html <https://infra.apache.org/repository-access.html> Infra has worked with GitHub to prevent dependabot from being able to write to our repos, but it appears that it is still able to under some circumstances. We will open yet another support case with GitHub regarding this. Here is an example of a third party commit: https://github.com/apache/commons-io/pull/264 <https://github.com/apache/commons-io/pull/264> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E <https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E> This write access to commons-io appears to be in violation of the aforementioned policy. Dependabot's email alerts are currently the only acceptable method for working with the tool. -Chris ASF Infra > On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > The Apache git repo must be mirrored from Apache to GitHub, for example > https://github.com/apache/commons-io, then you add a .github folder and > files (see above link). > > Gary > > On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> wrote: > >> Thanks Gary and Sebb. >> How do I turn dependabot on? Last time I tried I was informed that due to >> the program requiring write permissions to the repository, it wasn’t >> possible… >> This policy must have changed… >> Thanks for any info. >> lewismc >> >> On 2021/08/29 14:42:00 Gary Gregory wrote: >>> Most of Apache Common's components' are happy users of Dependabot, which >> is >>> used on our GitHub mirrored repositories. >>> >>> Gary >>> >>> >>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org> >> wrote: >>> >>>> Hi builds@, >>>> I was advised to ask my question here instead of general@incubator. >>>> Thanks for any feedback >>>> >>>>> I understand that we cannot use automated tooling, specifically >> Dependbot >>>> ( >>>>> https://dependabot.com/) because it requests write access to the ASF >>>>> project source code. >>>>> I have found this functionality to be really useful and wondered if >> there >>>>> are any suggestions out there for automating the dependency >> management >>>>> workflow? >>>>> Thanks for any feedback. >>>>> lewismc >>>> -- >>>> http://home.apache.org/~lewismc/ >>>> http://people.apache.org/keys/committer/lewismc >>>> >>> >>
