管理依赖项更新

副驾驶聊天 可以帮助你设置 Dependabot,以简化依赖项更新流程。

在本文中

自动更新依赖项

示例方案

假设项目依赖于众多库和包。 易受攻击或过时的依赖项会带来安全风险,可能影响你的项目以及其他依赖它的项目。

副驾驶聊天 可以帮助你配置 Dependabot 来处理安全和版本更新,从而使你的依赖项始终保持在最安全且最新的版本。 请参阅 关于 Dependabot 安全更新关于 Dependabot 版本更新

在开始之前,请确保 Dependabot 在存储库的“设置”下完全启用。

  1. 在“代码安全性”设置下,确保 Dependabot alerts 同时 Dependabot security updates 设置为“已启用”。
  2. 创建空的 .github/dependabot.yml 文件并将其提交到存储库。

示例提示

确保你的仓库已链接到提示以提供上下文。

Copilot prompt
Analyze the codebase and project structure of this repository. Detect all package managers and package ecosystems in use, including their respective locations (e.g., npm, yarn, pip, maven, gradle, composer, github-actions, etc.).

For each detected ecosystem, create a configuration entry in a single, top-level .github/dependabot.yml file that enables security and version updates on a reasonable schedule. Use the recommended best practices for each ecosystem. Clearly specify the directory for each ecosystem detected. If multiple ecosystems or multiple directories are present, include them all in the configuration.

In the output, include any notes on the configuration or best practices, as well as next steps that include how to commit the dependabot.yml file to the repository via the GitHub web browser and how to check that Dependabot version updates and Dependabot security updates are enabled.

示例输出

副驾驶聊天 会分析您的代码库,并为您编写 dependabot.yml 配置文件的内容,该文件会告知 Dependabot 需要扫描哪些依赖项。

version: 2
updates:
  # Python (pip)
  - package-ecosystem: "pip"
    directory: "/"                     # Location of requirements.txt
    schedule:
      interval: "weekly"               # Weekly updates are a good balance for libraries
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "all"
    commit-message:
      prefix: "pip"
    labels:
      - "dependencies"
      - "python"
    ignore:
      - dependency-name: "pip"         # Ignore pip self-updates

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"                     # Looks for workflow files under .github/workflows/
    schedule:
      interval: "weekly"
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    commit-message:
      prefix: "actions"
    labels:
      - "dependencies"
      - "github-actions"

将文件提交 dependabot.yml 到存储库后,每当检测到易受攻击或过时的依赖项时, Dependabot 就会开始针对存储库打开拉取请求。

自定义依赖项管理

示例方案

假设你的团队已使用基本 Dependabot 配置几个月,并且你收到了大量依赖项更新拉取请求。 但是,你发现:

  • 由于没有自动分配审核人员,拉取请求一直处于未审核状态。
  • 您希望通过标签自动将拉取请求添加到团队的项目板上。
  • CI 因同时处理太多依赖项拉取请求而不堪重负。
  • 你收到了不影响生产环境的开发依赖项的更新。

你想要自定义 Dependabot 配置以更好地适应团队的工作流,例如自动将拉取请求分配给正确的团队成员、添加标签以将拉取请求添加到项目板、限制打开拉取请求的数量,并仅关注生产依赖项。

副驾驶聊天 可以编写一个更新后的 dependabot.yml,以更好地满足团队需求。

示例提示

Copilot prompt
I want to customize my pull requests for Dependabot security and version updates, so that:

* Pull requests are automatically assigned to the team "octocat-reviewers."
* The label "security-management" is automatically added to every pull request.
* The number of open Dependabot PRs is limited.
* Development dependencies are ignored.

Draft an update to the dependabot.yml file in my repository that specifies these customization options.

提示

示例输出

version: 2
updates:
  # Python (pip)
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "production"     # Ignore development dependencies
    assignees:
      - "octocat-reviewers"               # Assign PRs to the team
    labels:
      - "dependencies"
      - "security-management"             # Custom label for all PRs
      - "python"
    commit-message:
      prefix: "pip"
    ignore:
      - dependency-name: "pip"