зеркало из https://github.com/github/docs.git
Dependabot private repo support (#16458)
* Update topics for Dependabot private repo support * Fix typo * Undo VS Code's auto-numbering * Fix broken anchor * Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Update content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Update content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Updated to put supported package managers in table Alex suggested moving this information about which package managers are not supported (bundler, hex, pip) into the table on the About topic, rather than as text in the note box. This changes does that, adding a new row to the table for hex (as discussed with Alex). * Remove redundant image Review comment asked for the line about filtering repos to be removed. With that line gone there's no point showing the s/shot of a filtered list. * Updates for revised UI As per comments from @thepwagner * Make changes requested by Maya Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
This commit is contained in:
hubwriter
GitHub
Родитель
d2ef480e57
Коммит
c4914d70df
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 87 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 85 KiB |
|
|
@ -33,14 +33,14 @@ If you've enabled security updates, you'll sometimes see extra pull requests for
|
|||
|
||||
### Supported repositories and ecosystems
|
||||
|
||||
You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#vendor)."
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.dependabot.private-dependencies %}
|
||||
{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. See the details in the table below.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#vendor)."
|
||||
|
||||
{% data reusables.dependabot.supported-package-managers %}
|
||||
|
||||
If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. For more information, see "[About integrations](/github/customizing-your-github-workflow/about-integrations)."
|
||||
|
|
|
|||
|
|
@ -308,7 +308,8 @@ updates:
|
|||
|
||||
{% note %}
|
||||
|
||||
**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot#supported-repositories-and-ecosystems)."
|
||||
**Note**: {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files)."
|
||||
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,14 +14,10 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
|
|||
|
||||
{% data reusables.dependabot.initial-updates %} For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)."
|
||||
|
||||
{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see "[About Dependabot version updates](/github/administering-a-repository/about-dependabot-version-updates#supported-repositories-and-ecosystems)."
|
||||
|
||||
### Enabling {% data variables.product.prodname_dependabot_version_updates %}
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.dependabot.private-dependencies %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% data reusables.dependabot.create-dependabot-yml %}
|
||||
1. Use `package-ecosystem` to specify the package managers to monitor.
|
||||
1. For each package manager, use:
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ versions:
|
|||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability.
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)."
|
||||
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)."
|
||||
{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %}
|
||||
|
|
|
|||
|
|
@ -76,6 +76,12 @@ There are separate limits for security and version update pull requests, so that
|
|||
|
||||
The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)."
|
||||
|
||||
#### {% data variables.product.prodname_dependabot %} can't resolve your dependency files
|
||||
|
||||
**Version updates only.** If {% data variables.product.prodname_dependabot %} attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, you will see the error message "{% data variables.product.prodname_dependabot %} can't resolve your LANGUAGE dependency files".
|
||||
|
||||
{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see "[About Dependabot version updates](/github/administering-a-repository/about-dependabot-version-updates#supported-repositories-and-ecosystems)."
|
||||
|
||||
### Triggering a {% data variables.product.prodname_dependabot %} pull request manually
|
||||
|
||||
If you unblock {% data variables.product.prodname_dependabot %}, you can manually trigger a fresh attempt to create a pull request.
|
||||
|
|
|
|||
|
|
@ -9,34 +9,47 @@ versions:
|
|||
### About management of security and analysis settings
|
||||
|
||||
{% data variables.product.prodname_dotcom %} can help secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization.
|
||||
|
||||
{% data reusables.security.some-security-and-analysis-features-are-enabled-by-default %}
|
||||
{% data reusables.security.security-and-analysis-features-enable-read-only %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}{% data reusables.security.security-and-analysis-features-enable-read-only %}
|
||||
{% endif %}
|
||||
|
||||
### Enabling or disabling features for existing repositories
|
||||
### Displaying the security and analysis settings
|
||||
|
||||
{% data reusables.profile.access_profile %}
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.organizations.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
5. Under "Configure security and analysis features", to the right of the feature, click **Disable all** or **Enable all**.
|
||||
|
||||
The page that's displayed allows you to enable or disable security and analysis features for the repositories in your organization.
|
||||
|
||||
### Enabling or disabling a feature for all existing repositories
|
||||
|
||||
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
|
||||
1. Under "Configure security and analysis features", to the right of the feature, click **Disable all** or **Enable all**.
|
||||
|
||||
6. Optionally, enable the feature by default for new repositories in your organization.
|
||||
1. Optionally, enable the feature by default for new repositories in your organization.
|
||||
|
||||
7. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization.
|
||||
1. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization.
|
||||
|
||||
|
||||
### Enabling or disabling features for new repositories
|
||||
### Enabling or disabling a feature for all new repositories when they are added
|
||||
|
||||
{% data reusables.profile.access_profile %}
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.organizations.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
5. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories in your organization.
|
||||
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
|
||||
1. Under "Configure security and analysis features", to the right of the feature, enable or disable the feature by default for new repositories in your organization.
|
||||
|
||||
|
||||
### Allowing Dependabot to access private repositories
|
||||
|
||||
{% data variables.product.prodname_dependabot %} can check for outdated dependency references in a project and automatically generate a pull request to update them. To do this, {% data variables.product.prodname_dependabot %} must have access to the targeted dependency files. By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private repositories. However, if a dependency is in a private {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository. For more information, including details of limitations to private dependency support, see "[About Dependabot version updates](/github/administering-a-repository/about-dependabot-version-updates)."
|
||||
|
||||
1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
|
||||
1. In the "{% data variables.product.prodname_dependabot %} repository access" section, click the settings button **{% octicon "gear" aria-label="The Gear icon" %}**.
|
||||
|
||||
A list is displayed showing all of the private repositories in your organization.
|
||||
|
||||
1. Select the repositories that {% data variables.product.prodname_dependabot %} can access.
|
||||
1. Click **Select repositories**.
|
||||
|
||||
|
||||
### Further reading
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}- "[About securing your repository](/github/administering-a-repository/about-securing-your-repository)"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
When running version updates, {% data variables.product.prodname_dependabot %} must be able to resolve all dependencies from their source to verify that version updates have been successful. If your manifest or lock files contain any dependencies hosted in private {% data variables.product.prodname_dotcom %} repositories within your organization, {% data variables.product.prodname_dependabot %} must be able to access those repositories. Organization owners can configure this. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-repositories)."
|
||||
|
||||
Currently, {% data variables.product.prodname_dependabot %} version updates doesn't support manifest or lock files that contain any dependencies hosted in private registries, or in private {% data variables.product.prodname_dotcom %} repositories that belong to a different organization than the dependent project.
|
||||
|
|
@ -1,20 +1,23 @@
|
|||
Package manager | Supports vendoring
|
||||
--- | :---:
|
||||
Bundler: `bundler` | **X**
|
||||
Cargo: `cargo` |
|
||||
Composer: `composer` |
|
||||
Docker: `docker` |
|
||||
Elm: `elm` |
|
||||
git submodule: `gitsubmodule` |
|
||||
GitHub Actions: `github-actions` |
|
||||
Go modules: `gomod` | **X**
|
||||
Gradle: `gradle` |
|
||||
Maven: `maven` |
|
||||
Mix: `mix` |
|
||||
npm: `npm` |
|
||||
NuGet: `nuget` |
|
||||
pip: `pip` |
|
||||
Terraform: `terraform` |
|
||||
The following table shows, for each package manager, whether {% data variables.product.prodname_dependabot %} supports: dependencies in private {% data variables.product.prodname_dotcom %} repositories, and vendored dependencies.
|
||||
|
||||
Package manager | Private {% data variables.product.prodname_dotcom %} repositories | Vendoring
|
||||
--- | :---:| :---:
|
||||
Bundler: `bundler` | | **✓** |
|
||||
Cargo: `cargo` | **✓** | |
|
||||
Composer: `composer` | **✓** | |
|
||||
Docker: `docker` | **✓** | |
|
||||
Elixir: `hex` | | |
|
||||
Elm: `elm` | **✓** | |
|
||||
git submodule: `gitsubmodule` | **✓** | |
|
||||
GitHub Actions: `github-actions` | **✓** | |
|
||||
Go modules: `gomod` | **✓** | **✓** |
|
||||
Gradle: `gradle` | **✓** | |
|
||||
Maven: `maven` | **✓** | |
|
||||
Mix: `mix` | **✓** | |
|
||||
npm: `npm` | **✓** | |
|
||||
NuGet: `nuget` | **✓** | |
|
||||
pip: `pip` | | |
|
||||
Terraform: `terraform` | **✓** | |
|
||||
|
||||
{% note %}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче