I am missing something here: the whole point of dependabot is that it creates a branch in GitHub, runs a build, and creates a PR. If you like the results, you can click merge, a huge time saver.
I really don't want to loose this killer feature. Gary On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > Third party write access to code repositories is expressly forbidden by > Foundation policy: > > https://infra.apache.org/repository-access.html < > https://infra.apache.org/repository-access.html> > > > > Infra has worked with GitHub to prevent dependabot from being able to > write to our repos, but it appears that it is still able to under some > circumstances. We will open yet another support case with GitHub regarding > this. > > Here is an example of a third party commit: > > https://github.com/apache/commons-io/pull/264 < > https://github.com/apache/commons-io/pull/264> > > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E > < > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E > > > > > This write access to commons-io appears to be in violation of the > aforementioned policy. > > Dependabot's email alerts are currently the only acceptable method for > working with the tool. > > > -Chris > ASF Infra > > > > > On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > The Apache git repo must be mirrored from Apache to GitHub, for example > > https://github.com/apache/commons-io, then you add a .github folder and > > files (see above link). > > > > Gary > > > > On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> > wrote: > > > >> Thanks Gary and Sebb. > >> How do I turn dependabot on? Last time I tried I was informed that due > to > >> the program requiring write permissions to the repository, it wasn’t > >> possible… > >> This policy must have changed… > >> Thanks for any info. > >> lewismc > >> > >> On 2021/08/29 14:42:00 Gary Gregory wrote: > >>> Most of Apache Common's components' are happy users of Dependabot, > which > >> is > >>> used on our GitHub mirrored repositories. > >>> > >>> Gary > >>> > >>> > >>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org> > >> wrote: > >>> > >>>> Hi builds@, > >>>> I was advised to ask my question here instead of general@incubator. > >>>> Thanks for any feedback > >>>> > >>>>> I understand that we cannot use automated tooling, specifically > >> Dependbot > >>>> ( > >>>>> https://dependabot.com/) because it requests write access to the ASF > >>>>> project source code. > >>>>> I have found this functionality to be really useful and wondered if > >> there > >>>>> are any suggestions out there for automating the dependency > >> management > >>>>> workflow? > >>>>> Thanks for any feedback. > >>>>> lewismc > >>>> -- > >>>> http://home.apache.org/~lewismc/ > >>>> http://people.apache.org/keys/committer/lewismc > >>>> > >>> > >> > >
