Dependabot-core: Add UI for adding many nested projects for a single repo

@bsideup thanks for the suggestion! We're thinking about automatically adding dependency manifests at the root level and then showing you a list of detected manifests within the entire repo to make it easy to add them in bulk.

You can still ad these nested manifests manually by specifying a Directory when adding a Project:

Hope this works until we have a more automated solution in place!

@feelepxyz yes, thanks for the workaround, that's actually what we already did (works great btw).
The problem is that we have 30+ microservices in our organization and adding it manually takes quite some time :D

Looking forward to the automated solution 👍

@bsideup good to hear! We're hoping to help with exactly that use case.

We've also been thinking about bundling updates for microservices. Would love to get your thoughts on this. Would it be helpful for your project if you got one PR/commit updating the same dependency across all your microservices in one go (to the latest version)? Or is the current setup of one PR per dependency and microservice preferable?

@feelepxyz we have different teams working on different services and it will not help too much :)
Also, we have different tiers. E.g. we first update deps on non-critical, internal services, and only then continue with public facing mission critical ones :)

but a command to merge two PRs into one would be amazing 👍

E.g. we receive PR#1 and it updates "foo" but we know that without "bar" it will not work properly, and we also have PR#2 for "bar". So, we go to PR#1 and use `@dependabot merge_with dependabot/feedback#2" :)

@bsideup great! Very good to know 🙌
Merging PRs has come up quite a few times and something we're thinking about adding! Sounds like we should prioritise this before cross-project bundling options.

@feelepxyz 💯 since you're so open to feedback ( :D ), here is a few more things we had in our mind when started with Dependabot:

1) When you add a Gradle project, it detects it as "Maven", even tho there is no pom.xml or anything else
2) would be amazing if Dependabot will have a setting to automatically add projects (blacklist instead of whitelist) with the type automatically detected (after 1) is fixed)
3) dependabot/feedback#20 is something we didn't figure out how to workaround, unless we downgrade to classpath-based plugins :(
4) Spring dependency management Gradle plugin (super popular one) has dependencySet feature to set a version for multiple dependencies at once. I have a workaround for it but it looks rather ugly :( I know that it is a bit specific but many Spring Boot + Gradle users will be super happy if it gets supported by Dependabot 😊

@bsideup love it!

1. This is a known issue as we're currently relying on Github to detect the primary language of the repo, which is Java so we'll jus pick Maven as the default :( we're thinking of removing this setting once we support adding projects from a list of detected dependency manifest files.
2. Agreed! 🙌
3. (& 4.) Going to wait for @greysteil to chime in on these, he's currently at GitHub Universe so won't be able to respond straight away

I think (4) should be relatively straightforward, so have started work on it over at https://github.com/dependabot/dependabot-core/pull/712.

On (3), there's a separate issue, and I'm going to work on it when I can (hopefully this weekend).

On (1), yeah, that's kind of annoying isn't it? Phil's explanation is spot on, though, so no fix available for now.

I'm going to close this as I think everything is covered off once https://github.com/dependabot/dependabot-core/pull/712 and dependabot/feedback#20 are done. 🎉

@greysteil
Amazing progress! 👍

Also, I would keep the issue open because it was about a different thing (Dockerfile in non-root), but I guess I confused everyone by adding more feedback into the same issue, sorry about it ☺️

Yeah, the Dockerfile in non-root is solved by specifying a directory though, right? We've got plans for a project detection feature that will make it easy to add nested projects, too, though - I'll rename to make it clearer this now related to that.

@greysteil I see. Ok, thanks 👍

Please also consider whether multi-branch setup should be integrated in this new multi-directory UI :)

(I’m experimenting with weekly updates for all dependencies for the develop branch, but immediate security updates for master/staging)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

Closing this as Dependabot is now configured via a configuration file, rather than the UI: https://help.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates#enabling-github-dependabot-version-updates