Hi, Really? This sounds like a productivity killer to remove such feature... the bot never write to master branch it just creates a branch and pr which need to be validated/merged by a valid committer. FYI eclipse foundation definitely accepts this without problem so I guess we have a similar level of source management.
On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com> wrote: > I am missing something here: the whole point of dependabot is that it > creates a branch in GitHub, runs a build, and creates a PR. If you like the > results, you can click merge, a huge time saver. > > I really don't want to loose this killer feature. > > Gary > > On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > > > Third party write access to code repositories is expressly forbidden by > > Foundation policy: > > > > https://infra.apache.org/repository-access.html < > > https://infra.apache.org/repository-access.html> > > > > > > > > Infra has worked with GitHub to prevent dependabot from being able to > > write to our repos, but it appears that it is still able to under some > > circumstances. We will open yet another support case with GitHub > regarding > > this. > > > > Here is an example of a third party commit: > > > > https://github.com/apache/commons-io/pull/264 < > > https://github.com/apache/commons-io/pull/264> > > > > > > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E > > < > > > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E > > > > > > > > > This write access to commons-io appears to be in violation of the > > aforementioned policy. > > > > Dependabot's email alerts are currently the only acceptable method for > > working with the tool. > > > > > > -Chris > > ASF Infra > > > > > > > > > On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> > > wrote: > > > > > > The Apache git repo must be mirrored from Apache to GitHub, for example > > > https://github.com/apache/commons-io, then you add a .github folder > and > > > files (see above link). > > > > > > Gary > > > > > > On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> > > wrote: > > > > > >> Thanks Gary and Sebb. > > >> How do I turn dependabot on? Last time I tried I was informed that due > > to > > >> the program requiring write permissions to the repository, it wasn’t > > >> possible… > > >> This policy must have changed… > > >> Thanks for any info. > > >> lewismc > > >> > > >> On 2021/08/29 14:42:00 Gary Gregory wrote: > > >>> Most of Apache Common's components' are happy users of Dependabot, > > which > > >> is > > >>> used on our GitHub mirrored repositories. > > >>> > > >>> Gary > > >>> > > >>> > > >>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org > > > > >> wrote: > > >>> > > >>>> Hi builds@, > > >>>> I was advised to ask my question here instead of general@incubator. > > >>>> Thanks for any feedback > > >>>> > > >>>>> I understand that we cannot use automated tooling, specifically > > >> Dependbot > > >>>> ( > > >>>>> https://dependabot.com/) because it requests write access to the > ASF > > >>>>> project source code. > > >>>>> I have found this functionality to be really useful and wondered if > > >> there > > >>>>> are any suggestions out there for automating the dependency > > >> management > > >>>>> workflow? > > >>>>> Thanks for any feedback. > > >>>>> lewismc > > >>>> -- > > >>>> http://home.apache.org/~lewismc/ > > >>>> http://people.apache.org/keys/committer/lewismc > > >>>> > > >>> > > >> > > > > > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy
