Dependabot-core: "Live" support for git submodules
I've set up dependabot today for several of my open-source projects and I'm loving it so far, thank you a lot! 鉂わ笍
I'm wondering if it could be possible to ask about potential enhancement to submodules feature by giving it "live" updates if dependabot can receive proper webhooks.
Let me explain my setup, I have a core repo C that includes several submodules:
- reference to wiki of repo C (on GitHub)
- a subproject that is a part of core project C
- a tool that is being used during building of project C
Right now dependabot is limited to fetching all of submodules and checking them in periods, but it's totally possible to use GitHub's webhooks for other projects, as long as:
- it's a wiki of the project (that we already have access to)
- or it's other repo under same account/organization that we can access, even if it's not configured by dependabot right now
This way dependabot could configure all found submodules via webhooks and receive live submodules triggers for all the projects that it has access to. It'd basically be a trigger for "Bump now", appropriately optimized to handle only the submodule that the webhook has referenced. Moreover, in the future it could be used even in cross-account scenario where user could get this output even while referencing somebody's else repo, as long as that other person is using dependabot for his own repo too (as you're able to receive webhooks from it in this case, and use them for first user's advantage).
Is there any interest for making something like this happen? I'm mostly interested in the wiki part personally, but I believe that this feature can shine in a lot of different aspects, especially considering that dependabot already has access to everything that is needed, it only requires a bit more logic to add.
Thank you in advance for considering this suggestion. I hope that we can see it happen 馃
JustArchi
All 7 comments
I'm not sure I understand what you mean by "it's a wiki of the project" - any chance you can link me to an example?
For the case where Dependabot has been given GitHub access to a repo it shouldn't be that hard for us to listen for webhooks. For public repos that don't have Dependabot installed it will be a bit trickier...
greysteil
on 17 Dec 2018
Sure I can, take a look at my ASF repo: https://github.com/JustArchiNET/ArchiSteamFarm
I'm using GitHub wiki of the project to the maximum degree, so I've also included it as a git submodule. I have it fully localized in several languages, so right now I have a pretty neat setup of dependabot doing wiki submodule bump once wiki is edited, then merging the PR, then my CI building the commit and as part of the process uploading updated source strings for translations on Crowdin (localization) platform. All of that now done automatically thanks to your awesome bot, this is why I'd be interested in cutting daily updates to instant ones, but only as a potential improvement of already working mechanism.
GitHub offers "wiki update" event in the webhook, dependabot could detect that submodule is a GitHub wiki and enable that option for the parent repo in this case.
For public repos that don't have Dependabot installed it will be a bit trickier...
I don't expect miracles, polling each minute for repo update could be possible, but it's very inefficient and would put a lot of pressure on the internal infrastructure if too many people used this at once. However, if you stick only to the repos you have access to (like in my case, where I have all the repos including parent repo of the wiki set up), then you can do it very efficiently and without any issues by just making use of GitHub webhooks mechanism (or any similar API available for bots), and you'd not waste a single request in the process since that webhook would happen only if repo was truly edited. This is why I consider it a good idea for submodules that you can set up in a way to give you live notifications, while those that aren't possible to do that (e.g. public, non-configured, non-supported infrastructures) would still use daily check as a balance between pressure and freshness. Of course you could always improve on this idea if you have some better solution than the one I offer here, but fact is that doing it for already-set repos can be done cost-free and very efficiently for the backend infrastructure.
In any case thank you a lot for considering this, I hope I made it a bit more clear 馃檪
JustArchi
on 17 Dec 2018
I had no idea wikis worked like that. That's pretty awesome.
I'm 馃憤 on your suggestion of listening for webhooks on repos (and wikis) we have access to. I'll try to get this done tomorrow, but it might slip a few days. Pester me if I haven't shipped it by the end of the week.
Thanks for the feedback!
greysteil
on 18 Dec 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 23 Oct 2019
Any progress on this?
anuejn
on 9 Dec 2019
Hi! Not yet, unfortunately. The team is still pretty swamped integrating Dependabot into GitHub, so we haven't yet been able to work on new features like this.
rebelagentm
on 9 Dec 2019
This would make submodules a lot less painful, have to do this manually at the moment.
DuBistKomisch
on 5 Feb 2020
Related issues
rebelagentm
路
3Comments
rafaelrocha-hotmart
路
4Comments
jbreitbart
路
3Comments
LankyLou
路
4Comments
christoferolaison
路
3Comments
Most helpful comment
I had no idea wikis worked like that. That's pretty awesome.
I'm 馃憤 on your suggestion of listening for webhooks on repos (and wikis) we have access to. I'll try to get this done tomorrow, but it might slip a few days. Pester me if I haven't shipped it by the end of the week.
Thanks for the feedback!