Dependabot-core: Bazel support?
Hi there - we use bazel within our multi-product repos. It would be great to have dependabot understand and integrate with that?
Broadly, bazel is a cross-platform and cross-language build system. It wants one to specify all [external dependencies] within a [WORKSPACE] file within the root of the repo (with plans I think to allow [WORKSPACE] files, plural, within the repo).
A [WORKSPACE] file (and other Bazel files) is written in a language called Starlark
A [WORKSPACE] file can take dependencies as follows:
- on dependencies that are themselves built via bazel
- on dependencies _not_ built via bazel
- on dependencies packaged via that language's package manager (for details, the
bazelbuild/rules_*repos)
A _great_ first addition would be to handle the git_repository and http_archive dependency rules, since _mostly_ these target github sha1s or tags.
I don't know which language dependabot itself is written in, but there is a Starlark parser in golang if it happens to be go.
petemounce
All 9 comments
@petemounce thanks for the suggestion! Definitely keen on supporting more build/infra tools. We've been holding off on adding new languages for a while to get all existing languages into a stable state. Still got a way to go so will hold of on this until we get some breathing room 鉁岋笍馃
feelepxyz
on 5 Feb 2019
Note: renovatebot.com already supports Bazel and we use it in a number of Bazel-adjacent repos
alexeagle
on 12 Jun 2019
there is a Starlark parser in golang if it happens to be go.
It might be worth pointing out that Skylark is a subset of Python 3 as that might simplify parsing of the WORKSPACE file.
I have a Bazel project where I'm interested in enabling dependabot. I _considered_ 1) writing a script that generate a pom.xml from the WORKSPACE file to hack around the lack of support and 2) adding a CI check that make sure that the pom.xml file is synced with WORKSPACE. This would obviously mean that no submitted pull requests by dependabot would work, but at least we'd know of security issues. Maybe too hacky, haven't decided...
JensRantil
on 18 Jun 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 23 Oct 2019
Ping to make un-stale; would still love bazel support.
petemounce
on 23 Oct 2019
I want to 2nd this! Bazel support would be awesome.
What would dependabot look like for Bazel? Would it be just the actual dependencies, or also the be able to update the workspace rules and rule hashes and the .bazelversion?
Compared to say Maven, Bazel has a lot of moving parts.
Michael-Nolan
on 25 Dec 2019
Any update on this thread?
chenrui333
on 26 Dec 2020
Not dependabot, but solving the same need: I worked with the renovate author to get things in good working shape for Bazel. It's now doing a great job auto-updating our GitHub-hosted dependencies. I'd recommend giving Renovate a try, if you're trying to automate Bazel dependency updates.
(I'd originally followed this issue long ago, hoping dependabot would add Bazel support.)
cpsauer
on 26 Dec 2020
I have not worked with renovate before, should I be concerned about its introduction into my corporate usage?
chenrui333
on 26 Dec 2020
Related issues
ZebraFlesh
路
3Comments
byjrack
路
3Comments
exequiel09
路
4Comments
kubawerlos
路
3Comments
artzag
路
3Comments
Most helpful comment
Ping to make un-stale; would still love bazel support.