Description
Firstly, Dependabot is a great thing to have available, so thank you!
I followed the steps outlined in this article, except that I changed packages.config to *.csproj so that it would pick up both PackageReference and packages.config references.
I used a test repo with new .NET Framework and .NET Core web projects, each with a NuGet reference to HtmlSanitizer v4.0.217.
The output from the dependabot stage of the Azure DevOps pipeline was:
Starting: run dependabot
==============================================================================
Task : Bash
Description : Run a Bash script on macOS, Linux, or Windows
Version : 3.182.0
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
Formatted command: exec bash '/home/vsts/work/1/s/dependabot-devops.sh'
========================== Starting Command Output ===========================
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/7faa9aaa-7931-4c01-a0bb-38746bfcf83c.sh
org: xxxxxxxxxxxxxx/
project: xxxxxx
repo: Test-xxxxxx
path: xxxxxxxxxxxx/xxx/_git/Test-xxxxx
Found 2 dependency file(s).
directory: /DependabotTestNetFramework
---[ Starting dependabot run: ./DependabotTestNetFramework/DependabotTestNetFramework.csproj ]---
Fetching nuget dependency files for xxxxxxxxx/xxxx/_git/Test-xxxxxx
Parsing dependencies information
- Updating AngleSharp (from 0.9.11)… submitted
- Updating HtmlSanitizer (from 4.0.217)… submitted
- Updating Microsoft.CodeDom.Providers.DotNetCompilerPlatform (from 2.0.1)… submitted
- Done
---[ Finished dependabot run ]---
directory: /DeendabotTestNetCore
---[ Starting dependabot run: ./DeendabotTestNetCore/DependabotTestNetCore.csproj ]---
Fetching nuget dependency files for xxxxxxxxxxxx/xxxx/_git/Test-xxxxx
Parsing dependencies information
- Updating HtmlSanitizer (from 4.0.217)… submitted
- Done
---[ Finished dependabot run ]---
Finishing: run dependabot
Notice it says "submitted" after each update. In fact what happened is it created the new branch but not the pull request.
The failure to create a pull request is a separate issue, but it's one I have been unable to debug due to the lack of feedback from Dependabot. This issue is about the report of "submitted" when in fact it failed. Looking at azure.rb in the dependabot-core repo, on line 214 it raises an error if any POST request to the Azure DevOps API returns 404, but as far as I can see (with no knowledge of Ruby) it's not raising any error for any other 4xx or 5xx response.
It would be more helpful if it could throw an error for any API response not in the 2xx range, so that that error was displayed by STDOUT. Or a --verbose switch that would log all the API requests and responses would be another useful approach.