管理依赖更新

Copilot Chat 可以帮助您使用 Dependabot 设置并简化依赖更新。

本文内容

自动化依赖项更新

示例情景

假设你的项目依赖大量的库和包。易受攻击或过时的依赖会带来安全风险,可能影响你的项目以及依赖它的其他项目。

Copilot Chat 可以帮助你使用 Dependabot 的安全和版本更新,让你的依赖始终保持在最安全、最新的版本。请参阅 关于 Dependabot 安全更新关于 Dependabot 版本更新

在开始之前,请确保在你的仓库“设置”中已完整启用 Dependabot。

  1. 在你的“代码安全”设置下,确保 Dependabot 警报Dependabot 安全更新 均设置为“已启用”。
  2. 在仓库中创建并提交一个空的 .github/dependabot.yml 文件。

示例提示

确保已将你的仓库附加到提示中以提供上下文。

Copilot 提示
Analyze the codebase and project structure of this repository. Detect all package managers and package ecosystems in use, including their respective locations (e.g., npm, yarn, pip, maven, gradle, composer, github-actions, etc.).

For each detected ecosystem, create a configuration entry in a single, top-level .github/dependabot.yml file that enables security and version updates on a reasonable schedule. Use the recommended best practices for each ecosystem. Clearly specify the directory for each ecosystem detected. If multiple ecosystems or multiple directories are present, include them all in the configuration.

In the output, include any notes on the configuration or best practices, as well as next steps that include how to commit the dependabot.yml file to the repository via the GitHub web browser and how to check that Dependabot version updates and Dependabot security updates are enabled.

示例输出

Copilot Chat 会分析你的仓库并为你编写 dependabot.yml 配置文件的内容,该文件告诉 Dependabot 需要扫描哪些依赖。

version: 2
updates:
  # Python (pip)
  - package-ecosystem: "pip"
    directory: "/"                     # Location of requirements.txt
    schedule:
      interval: "weekly"               # Weekly updates are a good balance for libraries
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "all"
    commit-message:
      prefix: "pip"
    labels:
      - "dependencies"
      - "python"
    ignore:
      - dependency-name: "pip"         # Ignore pip self-updates

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"                     # Looks for workflow files under .github/workflows/
    schedule:
      interval: "weekly"
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    commit-message:
      prefix: "actions"
    labels:
      - "dependencies"
      - "github-actions"

一旦你将 dependabot.yml 文件提交到仓库,Dependabot 将在检测到易受攻击或过时的依赖时开始打开针对你仓库的拉取请求。

定制依赖管理

示例情景

假设你的团队已经使用基本的 Dependabot 配置几个月,并且收到了大量依赖更新的拉取请求。但你发现

  • 拉取请求因为未自动分配给任何人而处于未审查状态。
  • 你希望通过标签将拉取请求自动添加到团队的项目看板。
  • 你的 CI 因为过多并发的依赖拉取请求而不堪重负。
  • 你收到的更新包括对生产环境没有影响的开发依赖。

你希望定制 Dependabot 配置,以更好地适配团队工作流,例如自动将拉取请求分配给合适的团队成员、通过标签将拉取请求添加到项目看板、限制打开的拉取请求数量,以及仅关注生产环境的依赖。

Copilot Chat 可以编写一个更符合团队需求的更新版 dependabot.yml

示例提示

Copilot 提示
I want to customize my pull requests for Dependabot security and version updates, so that:

* Pull requests are automatically assigned to the team "octocat-reviewers."
* The label "security-management" is automatically added to every pull request.
* The number of open Dependabot PRs is limited.
* Development dependencies are ignored.

Draft an update to the dependabot.yml file in my repository that specifies these customization options.

提示

示例输出

version: 2
updates:
  # Python (pip)
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "production"     # Ignore development dependencies
    assignees:
      - "octocat-reviewers"               # Assign PRs to the team
    labels:
      - "dependencies"
      - "security-management"             # Custom label for all PRs
      - "python"
    commit-message:
      prefix: "pip"
    ignore:
      - dependency-name: "pip"
© . This site is unofficial and not affiliated with GitHub, Inc.