自动更新依赖项
示例方案
假设项目依赖于众多库和包。 易受攻击或过时的依赖项会带来安全风险,可能影响你的项目以及其他依赖它的项目。
Copilot 对话助手 可以帮助你设置 Dependabot 安全更新和版本更新,以便依赖项始终保持最安全、最新的版本。 请参阅“关于 Dependabot 安全更新”和“关于 Dependabot 版本更新”。
开始之前,请确保在仓库的“Settings”下完全启用了 Dependabot。
- 在“Code security”设置下,确保 Dependabot alerts 和 Dependabot security updates 都设置为“Enabled”。********
- 创建空的
.github/dependabot.yml文件并将其提交到仓库。
示例提示
确保仓库已附加到提示以获取上下文。
Analyze the codebase and project structure of this repository. Detect all package managers and package ecosystems in use, including their respective locations (e.g., npm, yarn, pip, maven, gradle, composer, github-actions, etc.).
For each detected ecosystem, create a configuration entry in a single, top-level .github/dependabot.yml file that enables security and version updates on a reasonable schedule. Use the recommended best practices for each ecosystem. Clearly specify the directory for each ecosystem detected. If multiple ecosystems or multiple directories are present, include them all in the configuration.
In the output, include any notes on the configuration or best practices, as well as next steps that include how to commit the dependabot.yml file to the repository via the GitHub web browser and how to check that Dependabot version updates and Dependabot security updates are enabled.
示例输出
Copilot 对话助手 分析仓库并为你编写 dependabot.yml 配置文件的内容,该文件会告知 Dependabot 需要扫描哪些依赖项。
version: 2
updates:
# Python (pip)
- package-ecosystem: "pip"
directory: "/" # Location of requirements.txt
schedule:
interval: "weekly" # Weekly updates are a good balance for libraries
day: "sunday"
time: "06:00"
timezone: "UTC"
open-pull-requests-limit: 5
allow:
- dependency-type: "all"
commit-message:
prefix: "pip"
labels:
- "dependencies"
- "python"
ignore:
- dependency-name: "pip" # Ignore pip self-updates
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/" # Looks for workflow files under .github/workflows/
schedule:
interval: "weekly"
day: "sunday"
time: "06:00"
timezone: "UTC"
open-pull-requests-limit: 5
commit-message:
prefix: "actions"
labels:
- "dependencies"
- "github-actions"
将 dependabot.yml 文件提交到仓库后,每当检测到易受攻击或过时的依赖项时,Dependabot 将开始针对仓库打开拉取请求。
自定义依赖项管理
示例方案
示例方案
假设团队已经使用基本的 Dependabot 配置几个月,并且你收到了大量依赖项更新拉取请求。 但是,你发现:
- 由于没有自动分配审核人员,拉取请求一直处于未审核状态。
- 你希望通过标签将拉取请求自动添加到团队的项目板。
- CI 因同时处理太多依赖项拉取请求而不堪重负。
- 你收到了不影响生产环境的开发依赖项的更新。
你想要自定义 Dependabot 配置以更好地适应团队的工作流,例如自动将拉取请求分配给正确的团队成员、添加标签以将拉取请求添加到项目板、限制打开的拉取请求数量,以及仅关注生产依赖项。
Copilot 对话助手 可以编写更符合团队需求的更新 dependabot.yml。
示例提示
I want to customize my pull requests for Dependabot security and version updates, so that:
* Pull requests are automatically assigned to the team "octocat-reviewers."
* The label "security-management" is automatically added to every pull request.
* The number of open Dependabot PRs is limited.
* Development dependencies are ignored.
Draft an update to the dependabot.yml file in my repository that specifies these customization options.
提示
- 有许多自定义选项可供探索。 有关详细信息,请参阅 自定义 Dependabot 安全更新的拉取请求 和 自定义 Dependabot 拉取请求以适应你的流程。
- 可以为每个包生态系统指定不同的自定义项。
示例输出
version: 2
updates:
# Python (pip)
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "sunday"
time: "06:00"
timezone: "UTC"
open-pull-requests-limit: 5
allow:
- dependency-type: "production" # Ignore development dependencies
assignees:
- "octocat-reviewers" # Assign PRs to the team
labels:
- "dependencies"
- "security-management" # Custom label for all PRs
- "python"
commit-message:
prefix: "pip"
ignore:
- dependency-name: "pip"