Add dependabot CLI execution mode behind experiment flag#1729
Open
brettfo wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an experimental execution path that runs Dependabot updates via the dependabot/cli binary instead of the existing Docker-based orchestration, gated behind the dependabot-use-cli experiment and disabled on GHES.
Changes:
- Introduces
runDependabotCLIorchestration (download CLI, build YAML job file, run CLI with flags/env). - Adds GHES detection to prevent CLI mode on GitHub Enterprise Server while allowing github.com and
*.ghe.com. - Updates dependencies/build artifacts and adds Jest coverage for the new CLI mode and helpers.
Show a summary per file
| File | Description |
|---|---|
| src/main.ts | Adds experiment-gated CLI execution path and GHES detection helper. |
| src/cli-runner.ts | New module to download and execute Dependabot CLI and generate YAML job files. |
| package.json | Adds js-yaml runtime dependency and its types. |
| package-lock.json | Lockfile updates reflecting new dependencies. |
| tests/main.test.ts | Adds tests for CLI experiment gating and GHES behavior. |
| tests/cli-runner.test.ts | Adds unit tests for CLI runner helpers/job file generation. |
| dist/main/sourcemap-register.js | Rebuilt dist output. |
| dist/cleanup/sourcemap-register.js | Rebuilt dist output. |
| dist/main/licenses.txt | Updates bundled licenses to include js-yaml. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/13 changed files
- Comments generated: 4
- Review effort level: Low
403cec2 to
d1cead5
Compare
b7d6ab1 to
ef0a274
Compare
Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the dependabot-use-cli experiment is enabled. Key changes: - Download the latest CLI release from GitHub Releases, resolving the version dynamically via the GitHub API - Build a YAML job file from the job details and credentials - Pass --api-url, --updater-image, and --proxy-image flags to the CLI - Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in the CLI process environment for proxy auth and image pulls - Log CLI stderr as info (not warning) - Skip the CLI path when the job environment is ghes; allow it for dotcom and proxima environments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ef0a274 to
3b6ca0c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the
dependabot-use-cliexperiment is enabled.Key changes:
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com