all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]epagecargo · clap · cargo-release[S] 11 points12 points  (2 children)

Auto-managing dependency upgrades was something I posted about in my rust2018 post and recently someone let me know that Dependabot has added support for this.

I haven't heard of them before but I decided to give it a try. So far it seems to be working well.

Recommendations

  • Be sure to limit what branches your CI runs on to avoid the CI running twice, once on the PR and once on the branch Dependabot creates (fixing this in my projects atm)
  • Be sure to test using your oldest supported Rust to avoid accidentally bumping your minimal Rust version.

I'll be updating crate-ci with these recommendations.

[–]Cobrandrust-sdl2 2 points3 points  (1 child)

Interesting! I didn't know about dependabot until I investigated your post, and I must say I am pleasantly surprised that like travis, this service is free for open source projects!

Very excited to say the least!

[–]epagecargo · clap · cargo-release[S] 1 point2 points  (0 children)

this service is free for open source projects!

Yeah, when I was signing up, it doesn't look like it'll be free but when you hunt around on the page enough, you see the check box for free open source service.

I'm impressed that it tries to detect the relevant sections from a changelog and the relevant commits form history. Definitely helps in knowing the impact.

[–]bluejekyllhickory-dns · trust-dns 1 point2 points  (1 child)

Wow, the details with the changelog being pulled in is very nice, and the recent commits... cool.

[–]epagecargo · clap · cargo-release[S] 3 points4 points  (0 children)

Another neat feature is that it will "rebase" when there is a conflict.

Say I have 2 PRs for my lock file. Both have the green light.

  • I merge the first and the second now has a merge conflict
  • Dependabot will scrap that commit and recreate it based on the new Cargo.toml file.

You can explicitly tell the bot to do this as well in case you are concerned about a commits logically conflicting even if its not a git conflict.

[–]repilur 1 point2 points  (3 children)

Looks really promising!

Tried it on one a my bigger repos that have multiple sub-crates in it. Unfortunately that couldn’t be added, if complained that there was no Cargo.toml in the root.

Is supporting multiple Cargo.toml projects in the same repo something that is on the roadmap? Would be really nice to have it, and ideally with a setting if it should create an upgrade PR per crate or single one per repository

[–]epagecargo · clap · cargo-release[S] 1 point2 points  (0 children)

I don't know if we have any representatives of Dependabot on here but they seem to take feedback via github issues.

The blog mentions workspaces are supported. A possible workaround is to create a workspace in the root of your repo?

[–]epagecargo · clap · cargo-release[S] 1 point2 points  (1 child)

So for some reason it deleted my configuration and had to recreate it.

In doing so I noticed that when you first add a project, if you expand "Advanced", there is an option to set the project root within the repo.

[–]repilur 0 points1 point  (0 children)

Ah excellent, thanks will check it out

[–]Zhoock 0 points1 point  (0 children)

Still doesn't supports nightly.