So what happen here? If I understand correctly dependabot creates a branch in a fork repository with a commit then this commit is merged back to the Apache GitHub repo by a committer.
In the previous model dependabot created a branch in the Apache GitHub repo then a committer merged this back to master or any other branch. In both case there is a commit by a bot which has been merged by a committer.. What is exactly the difference at the end? On Fri, 3 Sep 2021 at 8:19 am, David Jencks <david.a.jen...@gmail.com> wrote: > After thinking about it for a couple of minutes I’m fully behind Apache > policy forbidding automated commits to an Apache repository. If Eclipse > allows such commits I’d rather suspect they haven’t noticed them. > > Assuming that dependabot can’t deal with making it’s branch in a separate > repo it might be possible to make something like this work: > > 1. Someone fork the apache repo. > 2. Use something like > https://mathieu.carbou.me/post/649318432483033088/automatic-fork-syncing-with-github > to keep this fork up to date with the Apache repo. > 3. Run dependabot on this fork. > > In these circumstances I’m not sure what the target of the dependabot PR > would be or, if it’s the fork, how hard it would be to make a PR to the > Apache repo. > 4. Do something to apply the dependabot PR/changes to the apache repo. > > David Jencks > > > On Sep 2, 2021, at 2:48 PM, Olivier Lamy <ol...@apache.org> wrote: > > > > Hi, > > Really? This sounds like a productivity killer to remove such feature... > > the bot never write to master branch it just creates a branch and pr > which > > need to be validated/merged by a valid committer. > > FYI eclipse foundation definitely accepts this without problem so I guess > > we have a similar level of source management. > > > > > > > > On Wed, 1 Sept 2021 at 05:33, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > >> I am missing something here: the whole point of dependabot is that it > >> creates a branch in GitHub, runs a build, and creates a PR. If you like > the > >> results, you can click merge, a huge time saver. > >> > >> I really don't want to loose this killer feature. > >> > >> Gary > >> > >> On Tue, Aug 31, 2021, 11:33 Chris Lambertus <c...@apache.org> wrote: > >> > >>> Third party write access to code repositories is expressly forbidden by > >>> Foundation policy: > >>> > >>> https://infra.apache.org/repository-access.html < > >>> https://infra.apache.org/repository-access.html> > >>> > >>> > >>> > >>> Infra has worked with GitHub to prevent dependabot from being able to > >>> write to our repos, but it appears that it is still able to under some > >>> circumstances. We will open yet another support case with GitHub > >> regarding > >>> this. > >>> > >>> Here is an example of a third party commit: > >>> > >>> https://github.com/apache/commons-io/pull/264 < > >>> https://github.com/apache/commons-io/pull/264> > >>> > >>> > >>> > >> > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E > >>> < > >>> > >> > https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E > >>>> > >>> > >>> > >>> This write access to commons-io appears to be in violation of the > >>> aforementioned policy. > >>> > >>> Dependabot's email alerts are currently the only acceptable method for > >>> working with the tool. > >>> > >>> > >>> -Chris > >>> ASF Infra > >>> > >>> > >>> > >>>> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> > >>> wrote: > >>>> > >>>> The Apache git repo must be mirrored from Apache to GitHub, for > example > >>>> https://github.com/apache/commons-io, then you add a .github folder > >> and > >>>> files (see above link). > >>>> > >>>> Gary > >>>> > >>>> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> > >>> wrote: > >>>> > >>>>> Thanks Gary and Sebb. > >>>>> How do I turn dependabot on? Last time I tried I was informed that > due > >>> to > >>>>> the program requiring write permissions to the repository, it wasn’t > >>>>> possible… > >>>>> This policy must have changed… > >>>>> Thanks for any info. > >>>>> lewismc > >>>>> > >>>>> On 2021/08/29 14:42:00 Gary Gregory wrote: > >>>>>> Most of Apache Common's components' are happy users of Dependabot, > >>> which > >>>>> is > >>>>>> used on our GitHub mirrored repositories. > >>>>>> > >>>>>> Gary > >>>>>> > >>>>>> > >>>>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney < > lewi...@apache.org > >>> > >>>>> wrote: > >>>>>> > >>>>>>> Hi builds@, > >>>>>>> I was advised to ask my question here instead of general@incubator. > >>>>>>> Thanks for any feedback > >>>>>>> > >>>>>>>> I understand that we cannot use automated tooling, specifically > >>>>> Dependbot > >>>>>>> ( > >>>>>>>> https://dependabot.com/) because it requests write access to the > >> ASF > >>>>>>>> project source code. > >>>>>>>> I have found this functionality to be really useful and wondered > if > >>>>> there > >>>>>>>> are any suggestions out there for automating the dependency > >>>>> management > >>>>>>>> workflow? > >>>>>>>> Thanks for any feedback. > >>>>>>>> lewismc > >>>>>>> -- > >>>>>>> http://home.apache.org/~lewismc/ > >>>>>>> http://people.apache.org/keys/committer/lewismc > >>>>>>> > >>>>>> > >>>>> > >>> > >>> > >> > > > > > > -- > > Olivier Lamy > > http://twitter.com/olamy | http://linkedin.com/in/olamy > > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy
