dependabot-linguist

Use linguist to check the contents of a local repository, and then scan for dependabot-core ecosystems relevant to those languages! With the list of ecosystems present in a repository, add a dependabot.y[a]ml (configuration file).

Before installing this gem, which will install the github-linguist gem, linguists dependencies should be installed. A number of these are enabling rugged, so they can't be "ignored" like dependabot's setup, which can be ignored for the purpose of this gem, which only intends to use the file fetchers.

sudo apt-get install build-essential cmake pkg-config libicu-dev zlib1g-dev libcurl4-openssl-dev libssl-dev ruby-dev

To install the latest from RubyGems;

gem install dependabot-linguist

Or to install from GitHub's hosted gems;

gem install dependabot-linguist --source "https://rubygems.pkg.github.com/skenvy"

Add the RubyGems hosted gem with bundler;

bundle add dependabot-linguist

Or add the following line to your Gemfile manually

gem "dependabot-linguist", ">= 0.217.0

Add the GitHub hosted gem;

source "https://rubygems.pkg.github.com/skenvy" do
  gem "dependabot-linguist", ">= 0.217.0"
end

If you intend to use ::Dependabot::Linguist::DependabotFileValidator.commit_new_config, you'll need to also setup the gh CLI. You can follow instructions on cli/cli to install it, which for the intended use case should be this guide. Once you've installed it, you'll need to log in prior to running this script, as the credentials are expected to already be in place.

It also expects git to be installed and credentialed, for pushing the branch.

The two main classes this provides, ::Dependabot::Linguist::Repository and ::Dependabot::Linguist::DependabotFileValidator, can be utilised independently, although the intention is that they be utilised together; to discover the contents of a repository that should be watched with a dependabot file by Repository, and subsequently using DependabotFileValidator to edit an existing, or add a new, dependabot file to watch the directories that were validated earlier. There is also a CLI tool, dependabot-linguist, that wraps these classes and surfaces all the available options to them, although adding automated tests for the executable is still a #TODO.

The intended end goal is to use this to automatically raise a PR on GitHub with the recommended changes to the ~/.github/dependabot.y[a]ml file. This is performed by ::Dependabot::Linguist::DependabotFileValidator.commit_new_config, which utilises Ruby's Kernel to run commands in an external shell that perform actions using the gh cli, and git. If you intend to use these you'll want to follow Setup external CLIs.

require "dependabot/linguist"
# Get the list of directories validated for each ecosystem.
@repo_path = "." # "here"
@repo_name = "Skenvy/dependabot-linguist" # If it were evaluating this repo!
@this_repo = ::Dependabot::Linguist::Repository.new(@repo_path, @repo_name)
@this_repo.directories_per_ecosystem_validated_by_dependabot
# Use this list to see what the recommended update to the existing (or add new) config is.
@validator = ::Dependabot::Linguist::DependabotFileValidator.new(repo_path)
@validator.load_ecosystem_directories(incoming: @this_repo.directories_per_ecosystem_validated_by_dependabot)
@validator.new_config
# If you trust it to write the new config;
@validator.write_new_config
# If you have git, and the gh cli tool installed and configured, and trust this
# tool to handle branching, commiting, pushing, and raising a pull request;
@validator.commit_new_config

If you installed this with bundler, you'll need to preface these with bundle exec.

# With no flags, it'll run "here", and print out the recommended new config.
dependabot-linguist
# With -w, it'll write the file. You can also specify a path.
dependabot-linguist ../../some/other/repo -w
# With -x, you'll be trusting it to raise a pull request of the recommended config.
# You can also specify a name, which will be required if there isn't a "origin" remote.
dependabot-linguist ../../some/other/repo Username/Reponame -x

A yaml config file can be placed at ~/.github/.dependabot-linguist. See this example. Although it's a dotfile, it'll be read by rugged, so for it to be utilised it should be checked in. The options available to this configuration file currently are;

The below options, directory and ecosystem are not mutually exclusive, and can be mixed, according to what top level catagorisation requires less verbose configuration, if you want to ignore many directories for one or two ecosystems, or many ecosystems for one or two directories!

To ignore some ecosystems per directory, you can add

ignore:
  directory:
    /path/to/somewhere:
    - some_ecosystem

To ignore some directories per ecosystem, you can add

ignore:
  ecosystem:
    some_other_ecosystem:
    - /path/to/somewhere_else

git clone https://github.com/Skenvy/dependabot-linguist.git && cd dependabot-linguist && make setup

The majority of make recipes for this are just wrapping a bundle invocation of rake.

• make docs will recreate the RDoc docs
• make test will run the RSpec tests.
• make lint will run the RuboCop linter.