Theoretically, dependabot ought to be able to create it’s branch in a forked repo, just like any other non-committer, and create a PR from that, which can be merged by a committer. I believe this would give the same committer workflow without violating Apache policy. I have no idea if dependabot can currently do this. It would certainly create less noise in the Apache repo.
David Jencks > On Aug 31, 2021, at 12:33 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > I am missing something here: the whole point of dependabot is that it > creates a branch in GitHub, runs a build, and creates a PR. If you like the > results, you can click merge, a huge time saver. > > I really don't want to loose this killer feature. > > Gary > > On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > >> Third party write access to code repositories is expressly forbidden by >> Foundation policy: >> >> https://infra.apache.org/repository-access.html < >> https://infra.apache.org/repository-access.html> >> >> >> >> Infra has worked with GitHub to prevent dependabot from being able to >> write to our repos, but it appears that it is still able to under some >> circumstances. We will open yet another support case with GitHub regarding >> this. >> >> Here is an example of a third party commit: >> >> https://github.com/apache/commons-io/pull/264 < >> https://github.com/apache/commons-io/pull/264> >> >> >> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E >> < >> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E >>> >> >> >> This write access to commons-io appears to be in violation of the >> aforementioned policy. >> >> Dependabot's email alerts are currently the only acceptable method for >> working with the tool. >> >> >> -Chris >> ASF Infra >> >> >> >>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> >> wrote: >>> >>> The Apache git repo must be mirrored from Apache to GitHub, for example >>> https://github.com/apache/commons-io, then you add a .github folder and >>> files (see above link). >>> >>> Gary >>> >>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> >> wrote: >>> >>>> Thanks Gary and Sebb. >>>> How do I turn dependabot on? Last time I tried I was informed that due >> to >>>> the program requiring write permissions to the repository, it wasn’t >>>> possible… >>>> This policy must have changed… >>>> Thanks for any info. >>>> lewismc >>>> >>>> On 2021/08/29 14:42:00 Gary Gregory wrote: >>>>> Most of Apache Common's components' are happy users of Dependabot, >> which >>>> is >>>>> used on our GitHub mirrored repositories. >>>>> >>>>> Gary >>>>> >>>>> >>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org> >>>> wrote: >>>>> >>>>>> Hi builds@, >>>>>> I was advised to ask my question here instead of general@incubator. >>>>>> Thanks for any feedback >>>>>> >>>>>>> I understand that we cannot use automated tooling, specifically >>>> Dependbot >>>>>> ( >>>>>>> https://dependabot.com/) because it requests write access to the ASF >>>>>>> project source code. >>>>>>> I have found this functionality to be really useful and wondered if >>>> there >>>>>>> are any suggestions out there for automating the dependency >>>> management >>>>>>> workflow? >>>>>>> Thanks for any feedback. >>>>>>> lewismc >>>>>> -- >>>>>> http://home.apache.org/~lewismc/ >>>>>> http://people.apache.org/keys/committer/lewismc >>>>>> >>>>> >>>> >> >>
