dependabot-linguist

Use linguist to check the contents of a local repository, and then scan for dependabot-core ecosystems relevant to those languages! With the list of ecosystems present in a repository, add a dependabot.y[a]ml (configuration file).

Getting Started

Linguist dependencies;

Before installing this gem, which will install the github-linguist gem, linguists dependencies should be installed. A number of these are enabling rugged, so they can’t be “ignored” like dependabot’s setup, which can be ignored for the purpose of this gem, which only intends to use the file fetchers.

sudo apt-get install build-essential cmake pkg-config libicu-dev zlib1g-dev libcurl4-openssl-dev libssl-dev ruby-dev

Dependabot dependencies;

The npm/yarn module requires {corepack}, so it will be necessary to install, either with npm or yarn. Ensuring you have the right version of corepack is important. Your best bet is to ensure you have the latest version.

nvm install 22 && nvm use 22 && npm i -g corepack@latest
# you'll need to `nvm use 22` to load that node before running this gem

Install this

To install the latest from RubyGems;

gem install dependabot-linguist

Or to install from GitHub’s hosted gems;

gem install dependabot-linguist --source "https://rubygems.pkg.github.com/skenvy"

Or add to the Gemfile

Add the RubyGems hosted gem with bundler;

bundle add dependabot-linguist

Or add the following line to your Gemfile manually

gem "dependabot-linguist", ">= 0.303.0

Add the GitHub hosted gem;

source "https://rubygems.pkg.github.com/skenvy" do
  gem "dependabot-linguist", ">= 0.303.0"
end

Setup external CLIs

If you intend to use ::Dependabot::Linguist::DependabotFileValidator.commit_new_config, you’ll need to also setup the {gh} CLI. You can follow instructions on cli/cli to install it, which for the intended use case should be this guide. Once you’ve installed it, you’ll need to log in prior to running this script, as the credentials are expected to already be in place.

It also expects git to be installed and credentialed, for pushing the branch.

Usage

The two main classes this provides, ::Dependabot::Linguist::Repository and ::Dependabot::Linguist::DependabotFileValidator, can be utilised independently, although the intention is that they be utilised together; to discover the contents of a repository that should be watched with a dependabot file by Repository, and subsequently using DependabotFileValidator to edit an existing, or add a new, dependabot file to watch the directories that were validated earlier. There is also a CLI tool, dependabot-linguist, that wraps these classes and surfaces all the available options to them, although adding automated tests for the executable is still a TODO.

The intended end goal is to use this to automatically raise a PR on GitHub with the recommended changes to the ~/.github/dependabot.y[a]ml file. This is performed by ::Dependabot::Linguist::DependabotFileValidator.commit_new_config, which utilises Ruby’s Kernel to run commands in an external shell that perform actions using the gh cli, and git. If you intend to use these you’ll want to follow Setup external CLIs.

Use the classes in a ruby script, with defaults 

require "dependabot/linguist"
# Get the list of directories validated for each ecosystem.
@repo_path = "." # "here"
@repo_name = "Skenvy/dependabot-linguist" # If it were evaluating this repo!
@this_repo = ::Dependabot::Linguist::Repository.new(@repo_path, @repo_name)
@this_repo.directories_per_ecosystem_validated_by_dependabot
# Use this list to see what the recommended update to the existing (or add new) config is.
@validator = ::Dependabot::Linguist::DependabotFileValidator.new(repo_path)
@validator.load_ecosystem_directories(incoming: @this_repo.directories_per_ecosystem_validated_by_dependabot)
@validator.new_config
# If you trust it to write the new config;
@validator.write_new_config
# If you have git, and the gh cli tool installed and configured, and trust this
# tool to handle branching, commiting, pushing, and raising a pull request;
@validator.commit_new_config

Use the CLI

If you installed this with bundler, you’ll need to preface these with bundle exec.

# With no flags, it'll run "here", and print out the recommended new config.
dependabot-linguist
# With -w, it'll write the file. You can also specify a path.
dependabot-linguist ../../some/other/repo -w
# With -x, you'll be trusting it to raise a pull request of the recommended config.
# You can also specify a name, which will be required if there isn't a "origin" remote.
dependabot-linguist ../../some/other/repo Username/Reponame -x

Configure

A yaml config file can be placed at ~/.github/.dependabot-linguist. See this example. Although it’s a dotfile, it’ll be read by rugged, so for it to be utilised it should be checked in. The options available to this configuration file currently are;

ignore

The below options, directory and ecosystem are not mutually exclusive, and can be mixed, according to what top level catagorisation requires less verbose configuration, if you want to ignore many directories for one or two ecosystems, or many ecosystems for one or two directories!

directory

To ignore some ecosystems per directory, you can add

ignore:
  directory:
    /path/to/somewhere:
    - some_ecosystem
ecosystem

To ignore some directories per ecosystem, you can add

ignore:
  ecosystem:
    some_other_ecosystem:
    - /path/to/somewhere_else

RDoc generated docs

Developing

Install Ruby

You will need to install rvm and one of its ruby binaries.

You’ll also need to set the RVM_DIR in your shell profile e.g. like this. RVM will set some basic initialisation in your shell profile, but changing what it sets to instead use RVM_DIR like this allows you to install it somewhere other than the default.

The make setup in first time setup will install the intended development version for you, but it might not be a precompiled binary, depending on your OS and architecture ~ if it isn’t precompiled, contributing your time in compiling to publish the binary for rvm is probably more worth your time than this lol.

RVM is locally how we manage proctoring the ruby environment. It is not on the github runners, so the make invocations in the workflows set the RVM proctors empty. If you want to manage your own ruby installs you can set _='' on each make ....

You should also read the requirements for the gems this uses, see Linguist dependencies and Dependabot dependencies. Linguist‘s can be acquired with make preinit done once.

Install Corepack

Dependabot dependencies are managed in this project via {nvm}, so corepack can be loaded into every subshell the Makefile spawns. If you don’t want to install nvm but would rather manage your own corepack install, set __='' on each make ....

For the currently targetted version of dependabot that this is using, the existing reference versions of corepack are; * bun/Dockerfile * npm_and_yarn/Dockerfile

Both currently (as of writing) set their corepack version to 0.31.0. However, it’s possible for the changes in versions in corepack to outstrip the rate of changes of this gem, so don’t rely on this to determine what the most suitable version of corepack is.

[!CAUTION] make setup / initialise / initialise_corepack will install to your global node. If you’re using the recommended nvm then each node install can be treated eseentially ephemeral. If you aren’t using nvm, this might hijack your global corepack install.

The first time setup

If you have rvm and nvm installed and you have apt, you should be able to;

git clone https://github.com/Skenvy/dependabot-linguist.git && cd dependabot-linguist && make preinit && make setup

Iterative development

The majority of make recipes for this are just wrapping a bundle invocation of rake. * make docs will recreate the RDoc docs * make test will run the RSpec tests. * make lint will run the RuboCop linter.