Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically check for updates when browscap/browscap is released #189

Open
asgrim opened this issue Dec 1, 2021 · 0 comments
Open

Automatically check for updates when browscap/browscap is released #189

asgrim opened this issue Dec 1, 2021 · 0 comments

Comments

@asgrim
Copy link
Member

asgrim commented Dec 1, 2021

At the moment, Dependabot checks once a day, which is fine for normal dep updates. However, we want browscap/browscap releases to almost immediately trigger an update check here, so we can consume the new release.

It seems this isn't possible at the moment: dependabot/dependabot-core#3080 - if there was an API call available, @frankdejonge suggested:

If that is available on the GitHub API then you can create an action for it by using that base action which is just a JS hook

The URL it would call is https://github.com/browscap/browscap-site/network/updates?update_config_id=<some-id> - however, the POST payload seems to be some kind of number-used once called authenticity_token, so my guess is this isn't easily hackable (I mean, it probably is, but it'll likely be brittle).

A workaround was suggested on Twitter by @bendavies :

an awful workaround:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
"When you add or update the dependabot.yml file, this triggers an immediate check for version updates."

so on tagging package A, trigger a workflow that updates repo B dependabot.yml in some way.

Whilst it may help, it seems a bit of a hack.

The alternatives at the moment:

  • Wait up to 24 hours for Dependabot to pick up the release and send the PR
  • Manually click the "Check for updates" button

It's worth noting that we'd have to introduce some kind of wait / polling of the Packagist API, since the release does NOT become immediately available (either when Dependabot checks, or occasionally I've seen Heroku not pick up the new release even!), so there will always be some lag whilst Packagist caches update, which we need to account for in any automated processes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant