You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Control scope of recursion when validating Dependabot configuration files
The project infrastructure validates the Dependabot configuration files against their JSON schema. In addition to the
repository's own Dependabot configuration file at the standard location, a reusable standardized "asset" configuration
file for GitHub Actions workflows is hosted in the repository. There is a need to eventually add additional "asset"
files to configure Dependabot for other dependency management frameworks.
Previously, in order to provide validation coverage for all the dependabot.yml files in the repository, a "globstar" was
used to cause the validator to recursively search the entire file tree under the repository. That approach is
problematic because the repository contains externally maintained files (e.g., the npm packages under the node_modules
folder). Searching and validating these files is inefficient at best and the cause of spurious failures at worst.
This is avoided by targeting the search. In order to support the addition of more "asset" Dependabot configuration files
in the future, a globstar is still used, but the recursion is limited to the folder dedicated as a container for those
files, which will never lead to unintended files being validated.
0 commit comments