Dependabot-core: Changelog support for private packages on Gemfury

Created on 7 Jun 2019 · 15Comments · Source: dependabot/dependabot-core

We're currently using Dependabot for private Ruby gems that are hosted on Gemfury. This works great, however we were not able to get a changelog to show up in the Dependabot PRs.

We have set the changelog_uri in the gemspec file. It indeed shows up when I have the gem installed and query its specification:

$ gem specification xxx
...
metadata:
  changelog_uri: https://github.com/xxx/xxx/blob/master/CHANGELOG.md
...

I also made sure Dependabot has rights to the private repository so it should be able to fetch https://github.com/xxx/xxx/blob/master/CHANGELOG.md.

Are private gems on Gemfury just not supported? Or are we missing something in our private gems?

Source

bobvanderlinden

Most helpful comment

@greysteil Thanks a lot for the information! The package itself does have the changelog_url when we download it, but the metadata from Gemfury doesn't. This makes a lot more sense. We will investigate why the metadata doesn't include the changelog url.

bobvanderlinden on 19 Jun 2019

❤1 👍1

All 15 comments

Hmmm. They are supported, but Dependabot has to work a little harder to get their changelogs because gemfury doesn't expose an API with package metadata. Let me see what we're getting back here and how we could do better.

Can you @-mention Dependabot in a PR that doesn't have a changelog?

greysteil on 7 Jun 2019

I mentioned Dependabot with the message this PR did not show the changelog.

bobvanderlinden on 7 Jun 2019

@bobvanderlinden I debugged this and left a comment on that issue - can you take a look?

greysteil on 19 Jun 2019

bobvanderlinden on 19 Jun 2019

❤1 👍1

Hi, @greysteil
So now gemspec file which is exposed by Gemfury includes proper metadata, see:

  s.metadata = {"changelog_uri"=>
    "https://github.com/nedap/healthcare_sidekiq/blob/master/CHANGELOG.md",
   "homepage_uri"=>"https://github.com/nedap/healthcare_sidekiq"}

However, pull request created by Dependabot is still missing the changelog, see:
Screenshot 2019-07-18 at 10 11 30
There is a link to the repo and to all the commits, so it's certainly some progress but I'm wondering what else should we do to make these pull requests as pretty as we expect them to be :)
Can you help us? :)

domininik on 18 Jul 2019

Ah cool, if we're getting to the repo then we should be 90% of the way there. Is the private repo on the same org as the update PR?

greysteil on 18 Jul 2019

Yes. So in this example dependabot created pull request in https://github.com/nedap/grip about changes in https://github.com/nedap/healthcare_sidekiq

domininik on 19 Jul 2019

OK, I can see new pull requests coming today which include beautiful changelog details and a list of commits. So we have it resolved I think 👍

domininik on 22 Jul 2019

🎉1

Awesome!

greysteil on 22 Jul 2019

🚀1

Hi, quite a lot of time passed and I must admit it's still not perfect.
I can see the same updates are presented very nicely in some apps (with proper links and pull request description) and the very same updates are presented poorly in other apps (with no links and no changelog details fetched). I assumed it's maybe some cache issue and it will resolve by itself but it's still wrong.

One recent example would be the update of https://github.com/nedap/cupido-session which is presented nicely here https://github.com/nedap/medewerkerportaal/pull/1853 but not so nicely here https://github.com/nedap/hermes/pull/1080

What could be the reason?

domininik on 11 Nov 2019

Hi, @domininik. We'll take a look at this as soon as we can. I've reopened the issue.