After thinking about it for a couple of minutes I’m fully behind Apache policy forbidding automated commits to an Apache repository. If Eclipse allows such commits I’d rather suspect they haven’t noticed them.
Assuming that dependabot can’t deal with making it’s branch in a separate repo it might be possible to make something like this work: 1. Someone fork the apache repo. 2. Use something like https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github to keep this fork up to date with the Apache repo. 3. Run dependabot on this fork. In these circumstances I’m not sure what the target of the dependabot PR would be or, if it’s the fork, how hard it would be to make a PR to the Apache repo. 4. Do something to apply the dependabot PR/changes to the apache repo. David Jencks > On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote: > > Hi, > Really? This sounds like a productivity killer to remove such feature... > the bot never write to master branch it just creates a branch and pr which > need to be validated/merged by a valid committer. > FYI eclipse foundation definitely accepts this without problem so I guess > we have a similar level of source management. > > > > On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com> wrote: > >> I am missing something here: the whole point of dependabot is that it >> creates a branch in GitHub, runs a build, and creates a PR. If you like the >> results, you can click merge, a huge time saver. >> >> I really don't want to loose this killer feature. >> >> Gary >> >> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: >> >>> Third party write access to code repositories is expressly forbidden by >>> Foundation policy: >>> >>> https://infra.apache.org/repository-access.html < >>> https://infra.apache.org/repository-access.html> >>> >>> >>> >>> Infra has worked with GitHub to prevent dependabot from being able to >>> write to our repos, but it appears that it is still able to under some >>> circumstances. We will open yet another support case with GitHub >> regarding >>> this. >>> >>> Here is an example of a third party commit: >>> >>> https://github.com/apache/commons-io/pull/264 < >>> https://github.com/apache/commons-io/pull/264> >>> >>> >>> >> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E >>> < >>> >> https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E >>>> >>> >>> >>> This write access to commons-io appears to be in violation of the >>> aforementioned policy. >>> >>> Dependabot's email alerts are currently the only acceptable method for >>> working with the tool. >>> >>> >>> -Chris >>> ASF Infra >>> >>> >>> >>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> >>> wrote: >>>> >>>> The Apache git repo must be mirrored from Apache to GitHub, for example >>>> https://github.com/apache/commons-io, then you add a .github folder >> and >>>> files (see above link). >>>> >>>> Gary >>>> >>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> >>> wrote: >>>> >>>>> Thanks Gary and Sebb. >>>>> How do I turn dependabot on? Last time I tried I was informed that due >>> to >>>>> the program requiring write permissions to the repository, it wasn’t >>>>> possible… >>>>> This policy must have changed… >>>>> Thanks for any info. >>>>> lewismc >>>>> >>>>> On 2021/08/29 14:42:00 Gary Gregory wrote: >>>>>> Most of Apache Common's components' are happy users of Dependabot, >>> which >>>>> is >>>>>> used on our GitHub mirrored repositories. >>>>>> >>>>>> Gary >>>>>> >>>>>> >>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org >>> >>>>> wrote: >>>>>> >>>>>>> Hi builds@, >>>>>>> I was advised to ask my question here instead of general@incubator. >>>>>>> Thanks for any feedback >>>>>>> >>>>>>>> I understand that we cannot use automated tooling, specifically >>>>> Dependbot >>>>>>> ( >>>>>>>> https://dependabot.com/) because it requests write access to the >> ASF >>>>>>>> project source code. >>>>>>>> I have found this functionality to be really useful and wondered if >>>>> there >>>>>>>> are any suggestions out there for automating the dependency >>>>> management >>>>>>>> workflow? >>>>>>>> Thanks for any feedback. >>>>>>>> lewismc >>>>>>> -- >>>>>>> http://home.apache.org/~lewismc/ >>>>>>> http://people.apache.org/keys/committer/lewismc >>>>>>> >>>>>> >>>>> >>> >>> >> > > > -- > Olivier Lamy > http://twitter.com/olamy | http://linkedin.com/in/olamy
