Home Explore Help
Sign In
dotnet
/
aspnetcore
mirror of https://github.com/dotnet/aspnetcore.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add token to Dependabot config (#46160)

- use new `DEPENDABOT_NPM_TOKEN` token
- add a .yarnrc file enforcing our registry choice globally
  - might not be necessary now but will help if we add new `npm` projects
- remove submodule update configuration for release/3.1

nits:
- add explicit day and time for our weekly updates
- move submodule update configurations together
  - Monday is the default but configuration takes less words than previous comments
Doug Bunting 3 years ago
parent
51abb6ac80
commit
e67e77d85e
2 changed files with 30 additions and 19 deletions
Split View Show Diff Stats
  1. 28 19
      .github/dependabot.yml
  2. 2 0
      .yarnrc

+ 28 - 19
.github/dependabot.yml
View File 

@@ -1,43 +1,52 @@
 
 version: 2
 
+registries:
 
+  azure.com:
 
+    token: ${{secrets.DEPENDABOT_NPM_TOKEN}}
 
+    type: npm-registry
 
+    url: https://pkgs.dev.azure.com/
 
+
 
 updates:
 
-  # Keep submodules up to date in 'main'.
 
-  - package-ecosystem: "gitsubmodule"
 
+  - package-ecosystem: npm
 
     directory: "/"
 
+    # Perform only security updates of our npm dependencies.
 
+    open-pull-requests-limit: 0
 
+    registries:
 
+    - azure.com
 
+    # Schedule should be ignored for security updates.
 
     schedule:
 
-      # Weekly interval opens PRs on Monday.
 
-      interval: "weekly"
 
-    allow:
 
-      - dependency-type: "all"
 
-    commit-message:
 
-      prefix: "[main] "
 
-      include: scope
 
-    labels:
 
-      - area-infrastructure
 
+      interval: monthly
 
+
 
   - package-ecosystem: "github-actions"
 
     directory: "/"
 
     schedule:
 
-      # Weekly interval opens PRs on Monday.
 
+      day: monday
 
       interval: "weekly"
 
+      time: 05:00
 
+      timezone: "America/Los_Angeles"
 
     commit-message:
 
       prefix: "[main] "
 
       include: scope
 
     labels:
 
       - area-infrastructure
 
 
-  # Keep submodules up to date in 'release/*' branches. (Unfortunately Dependabot security PRs can't target these.)
 
-  # Monthly interval opens PRs on the first of each month.
 
+  # Keep submodules up to date in 'main'.
 
   - package-ecosystem: "gitsubmodule"
 
     directory: "/"
 
     schedule:
 
-      interval: "monthly"
 
+      day: monday
 
+      interval: "weekly"
 
+      time: 05:00
 
+      timezone: "America/Los_Angeles"
 
     allow:
 
       - dependency-type: "all"
 
     commit-message:
 
-      prefix: "[release/2.1] "
 
+      prefix: "[main] "
 
       include: scope
 
     labels:
 
       - area-infrastructure
 
-    target-branch: "release/2.1"
 
+
 
+  # Keep submodules up to date in 'release/*' branches. (Unfortunately Dependabot security PRs can't target these.)
 
+  # Monthly interval opens PRs on the first of each month.
 
   - package-ecosystem: "gitsubmodule"
 
     directory: "/"
 
     schedule:
 
@@ -45,11 +54,11 @@ updates:
 
     allow:
 
       - dependency-type: "all"
 
     commit-message:
 
-      prefix: "[release/3.1] "
 
+      prefix: "[release/2.1] "
 
       include: scope
 
     labels:
 
       - area-infrastructure
 
-    target-branch: "release/3.1"
 
+    target-branch: "release/2.1"
 
   - package-ecosystem: "gitsubmodule"
 
     directory: "/"
 
     schedule:

+ 2 - 0
.yarnrc
View File 

@@ -0,0 +1,2 @@
 
+# yarn lockfile v1
 
+registry "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/"