gradle项目依赖项目
Today I would like to tell you about a convenient tool to automate Gradle dependencies updates called Dependabot. It feels like this tool was overlooked in the Android community, so I would like to fill this gap. I started to use Dependanbot a few months ago and tried to use different versions of it, so this article is based on personal experience.
今天,我想向您介绍一个名为Dependabot的自动化Gradle依赖项更新的便捷工具。 感觉这个工具在Android社区中被忽视了,所以我想填补这个空白。 几个月前,我开始使用Dependanbot,并尝试使用它的不同版本,因此本文基于个人经验。
It doesn’t matter if you develop a feature-rich application or just some small library it is very likely that your project has many dependencies. And while it is a good practice to regularly check for updates in these dependencies, developers don’t always have time for it. And the longer we skip updates, the more time we will spend on updates later.
无论开发功能丰富的应用程序还是仅开发一些小型库都没有关系,您的项目很可能具有许多依赖性。 虽然定期检查这些依赖项中的更新是一个好习惯,但开发人员并不总是有时间。 而且跳过更新的时间越长,以后我们将花费更多的时间在更新上。
This is where Dependabot comes to the rescue!
这就是Dependabot进行救援的地方!
什么是Dependabot? (What is Dependabot?)
Dependabot appeared on the horizon a few years ago as a standalone app on GitHub Marketplace called Dependabot Preview. It has one purpose — keep projects up to date and secure.
几年前,Dependabot作为GitHub Marketplace上的一个独立应用程序Dependabot Preview出现在地平线上。 它有一个目的-使项目保持最新和安全。
Initially, there was no support for Gradle projects, but in 2018 such a feature request appeared in the Dependabot repository. In a few months, support of Gradle projects appeared in alpha (it is still in beta as of today).
最初,不支持Gradle项目,但是在2018年, 这样的功能请求出现在Dependabot存储库中。 几个月后,对Gradle项目的支持以alpha形式出现(到目前为止,它仍处于beta版本)。
However, not much attention was given to this great change. Probably, due to lack of coverage and to the fact that Dependabot wasn’t free at that time. And while questions with coverage still remain, the pricing problem has gone. Last year GitHub acquired Dependabot and made it free of charge for GitHub users.
但是,对这一重大变化的关注并不多。 可能是由于缺乏报道以及Dependabot当时还不免费的事实。 尽管覆盖范围的问题仍然存在,但定价问题已经消失了。 去年, GitHub收购了Dependabot,并为GitHub用户免费提供了它。
After the acquisition, GitHub decided to turn Dependabot into a native built-in application. As a result, today we have two versions of Dependabot: Dependabot Preview app from Marketplace and Dependabot native app. Both versions have the same functionality but have different setup and configuration processes.
收购之后,GitHub决定将Dependabot转变为本地内置应用程序。 结果,今天我们有了Dependabot的两个版本:来自Marketplace的Dependabot Preview应用程序和Dependabot本机应用程序。 两种版本具有相同的功能,但具有不同的设置和配置过程。
它能做什么? (What can it do?)
Dependabot can do the following things:
Dependabot可以执行以下操作:
- Check for updates of Gradle dependencies, including plugins in Android projects, and open PRs with such updates. 检查Gradle依赖项的更新,包括Android项目中的插件,并使用此类更新打开PR。
- Check for updates of Actions in project workflows if you use GitHub Actions for CI and open PRs with such updates. 如果您使用GitHub Actions for CI并使用此类更新打开PR,请检查项目工作流中Actions的更新。
有什么缺点吗? (Any drawbacks?)
Before proceeding with adding Dependabot into the repository, I would like to mention some drawbacks, which might influence the decision on whether to use it.
在继续将Dependabot添加到存储库之前,我要提到一些缺点,这些缺点可能会影响是否使用它的决定。
Since Dependabot and Gradle support are still in beta, there are some imperfections. So far I found three issues, but I think they are quite significant:
由于Dependabot和Gradle支持仍处于beta中,因此存在一些缺陷。 到目前为止,我发现了三个问题,但我认为它们非常重要:
No support for projects with Kotlin DSL Gradle files. There is an issue in the official repo, but it seems quite far from resolution as of July 2020.
不支持Kotlin DSL Gradle文件的项目。 官方回购中有一个问题 ,但截至2020年7月似乎还远远没有解决。
Sometimes Dependabot suggests non-stable versions of dependencies. Here is one such PR with a
-dev
version suggested. Unfortunately, there is no option to configure which versions to pick in Gradle projects as well as no way to do so for other projects when GitHub integrated Dependabot is used. There is an issue opened for this problem, too.有时Dependabot建议使用非稳定版本的依赖项。 这是一个这样的PR,建议使用
-dev
版本。 不幸的是,当使用GitHub集成的Dependabot时,没有选择配置要在Gradle项目中选择哪个版本的选项,对于其他项目也没有办法。 也为此问题打开了一个问题 。- For Dependabot GitHub native app, there seems to be an issue with running on a specified schedule, while Dependabot Preview app works fine. Particularly, since the migration to Dependabot native app more than two weeks ago, I haven’t seen new PRs with updates, while in the fork repository Dependabot Preview recently opened two new PRs. 对于Dependabot GitHub本机应用程序,按指定的时间表运行似乎存在问题,而Dependabot Preview应用程序运行良好。 特别是,自从两个多星期前迁移到Dependabot本地应用程序以来,我还没有看到带有更新的新PR,而在fork存储库中Dependabot Preview最近打开了两个新PR。
The ambiguity of setting up Dependabot might be considered an issue because currently there are two different ways to set up Dependabot in a repository.
设置Dependabot的含糊不清可能被认为是一个问题,因为当前在存储库中有两种不同的方法来设置Dependabot。
如何将Dependabot添加到Android项目? (How to add Dependabot to an Android project?)
To setup Dependabot you can either install Dependabot Preview app from GitHub Marketplace or enable the GitHub Dependabot native app. No need to change app/library code, build files, etc.
要设置Dependabot,您可以从GitHub Marketplace安装Dependabot Preview应用,也可以启用GitHub Dependabot本机应用。 无需更改应用程序/库代码,构建文件等。
Dependabot Preview app is slowly superseded by the native app after acquisition by GitHub. It is now recommended to use the native app.
在被GitHub收购后,Dependabot Preview应用程序将被本机应用程序缓慢取代。 现在建议使用本机应用程序。
However, Dependabot Preview app provides better user experience with its UI and has fewer issues. Also, the Preview app helps with migration to the native app with just a few clicks.
但是,Dependabot Preview应用通过其UI提供了更好的用户体验,并且出现的问题更少。 此外,只需单击几下,“预览”应用程序即可帮助迁移到本机应用程序。
Based on these facts, I suggest starting with Dependabot Preview app instead of going native right away.
基于这些事实,我建议从Dependabot Preview应用开始,而不是立即本地化。
Despite my recommendation above, I would like to show both Dependabot Preview and native app experiences during the first set up.
尽管上面有我的建议,但我想在首次设置时同时展示Dependabot Preview和本机应用程序的体验。
1. Installing Dependabot
1.安装Dependabot
Dependabot Preview app
Dependabot预览应用
The app is available on GitHub Marketplace and should be installed from it: https://github.com/marketplace/dependabot-preview
该应用程序在GitHub Marketplace上可用,应从以下位置安装: https : //github.com/marketplace/dependabot-preview
Just select repositories required, provide read access via a few dialogs and that is it. After the Preview app is installed, it will start checking for updates and creating PRs right away.
只需选择所需的存储库,并通过几个对话框提供读取访问权限即可。 安装预览应用程序后,它将立即开始检查更新并创建PR。
Dependabot native app
Dependabot本机应用程序
The native app needs no installation or permissions management.
本机应用程序无需安装或权限管理。
Go to repository settings, open Security & analysis
section and click Enable
on both Dependabot alerts and security updates.
转到存储库设置,打开“ Security & analysis
部分,然后在Dependabot警报和安全更新上单击“ Enable
”。
No further actions required for the native app. However, it won’t work until a configuration file is added to the repository.
本机应用程序无需采取进一步措施。 但是,只有将配置文件添加到存储库后,该功能才起作用。
2. Configure updates
2.配置更新
Dependabot Preview app
Dependabot预览应用
There is no need to do a special configuration for the Preview app since it works right after installation. However, customization is possible in Preview app UI:
无需为预览应用程序进行特殊配置,因为它可以在安装后立即运行。 但是,可以在“预览”应用程序用户界面中自定义:
Dependabot native app
Dependabot本机应用程序
In contrast, native app requires creating a config file named dependabot.yml
. This file should be placed in .github
folder in the root of the repository.
相比之下,本机应用程序需要创建一个名为dependabot.yml
的配置文件。 该文件应放在存储库根目录的.github
文件夹中。
This is where the advantage of starting with Dependabot Preview appears — if you need to migrate to the native app there is a handy way to generate such config file via app UI.
这就是从Dependabot Preview开始的优势所在-如果您需要迁移到本机应用程序,则有一种便捷的方法可通过应用程序UI生成此类配置文件。
After clicking on Create config file
you will see a dialog suggesting to create a PR with a configuration file. If there were no customizations in the Preview app, this configuration will have only basic required options.
单击“ Create config file
您将看到一个对话框,建议使用配置文件创建PR。 如果“预览”应用程序中没有自定义项,则此配置将仅具有基本必需的选项。
Otherwise, when Dependabot is added for the first time, such a config file should be written manually. There is a pretty detailed official doc with all available options.
否则,当首次添加Dependabot时,应手动编写此类配置文件。 有一个非常详细的官方文档,其中包含所有可用选项。
Don’t forget that this config file should be a valid YAML file. I suggest using some validators (like http://www.yamllint.com/) before adding such config into the repo.
不要忘记此配置文件应该是有效的YAML文件。 我建议在将这样的配置添加到仓库中之前使用一些验证器(例如http://www.yamllint.com/ )。
To get started faster, here is a basic config file which is generated when trying to migrate from Dependabot Preview app:
为了更快上手,这是尝试从Dependabot Preview应用程序迁移时生成的基本配置文件:
version: 2
updates:
- package-ecosystem: gradle
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
Only three options are required in the config to run Dependabot native app:
配置中仅需要三个选项即可运行Dependabot本机应用程序:
package-ecosystem
— types of updates required. For Android Gradle projects it isgradle
.package-ecosystem
所需更新的类型。 对于Android Gradle项目,它是gradle
。directory
— location of manifest files or, in case of Gradle projects, location ofbuild.gradle
files.directory
-清单文件的位置,如果是Gradle项目,build.gradle
文件的位置。schedule
— how often check for updates should happen.schedule
-应该多久检查一次更新。
After merging the config file, PRs with suggested dependencies updates should appear. Most PRs will have expandable release notes and commits info for the updated dependency.
合并配置文件后,带有建议的依赖项更新的PR应出现。 大多数PR都有可扩展的发行说明,并提交有关更新依赖项的信息。
Note that there is also a compatibility
badge in such PRs. It should show a percentage value based on how many similar PRs passed CI checks in other repositories with this dependency. Interestingly though, the native app shows unknown
for all updates, while Dependabot Preview shows an actual percentage.
请注意,此类PR中也有compatibility
标志。 它应该显示一个百分比值,该百分比值基于在具有此依赖性的其他存储库中通过CI检查的相似PR数量。 不过,有趣的是,本机应用程序显示所有更新unknown
,而Dependabot Preview显示实际百分比。
进阶设定 (Advanced configuration)
The basic configuration suggested above might not be enough, so I will show more advanced config which I use in Chucker library to fit into workflow better.
上面建议的基本配置可能还不够,因此我将展示在Chucker库中使用的更高级的配置,以便更好地适合工作流程。
Here is the config itself:
这是配置本身:
version: 2
updates:
# Updates for Github Actions used in the repo
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
# Updates for Gradle dependencies used in the app
- package-ecosystem: gradle
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "cortinico"
- "vbuberen"
ignore:
- dependency-name: com.squareup.okhttp3:logging-interceptor
versions: "> 3.12.10"
- dependency-name: com.squareup.okhttp3:mockwebserver
versions: "> 3.12.10"
- dependency-name: com.squareup.okhttp3:okhttp
versions: "> 3.12.10"
- dependency-name: com.squareup.retrofit2:retrofit
versions: "> 2.6.4"
Let’s take a closer look at this config. It consists of 2 blocks: updates for Github Actions (lines 4–7) and updates for project dependencies (lines 9–25).
让我们仔细看看这个配置。 它包括2个块:Github Actions更新(第4-7行)和项目依赖项更新(第9-25行)。
Block for Github Actions has just a set of required options and specifies the type of updates needed with package-ecosystem: github-actions
option.
Block for Github Actions只有一组必需的选项,并指定了package-ecosystem: github-actions
所需的更新类型package-ecosystem: github-actions
选项。
In contrast, block for project dependencies is more interesting.
相比之下,阻止项目依赖项会更有趣。
reviewers
specifies people to add as reviewers in opened PRs. It is also possible to addassignees
if PRs need to be assigned.reviewers
指定要添加为已打开的PR中的审阅者的人员。 如果需要分配PR,也可以添加assignees
。ignore
specifies dependencies which Dependabot should ignore. In this particular case, we ignore OkHttp and Retrofit updates, because Chucker still supports pre-Lollipop Android versions. Opposite to this option isallow
to specify only versions that should be updated.ignore
指定了Dependabot应该忽略的依赖项。 在这种情况下,我们会忽略OkHttp和Retrofit更新,因为Chucker仍支持Lollipop之前的Android版本。 与该选项相反的是,allow
仅指定应更新的版本。
Initially, I wanted to add the milestone
option to automatically add each PR into a specific milestone. Unfortunately, it is not very self-explanatory, because themilestone
option doesn’t accept labels of milestones, but identifiers assigned by Github. In my particular case milestone had label 3.3.0
and it would be logical to use this value in the config file, but I could only use 9
as it was the id of that milestone (check number in the link).
最初,我想添加milestone
选项以将每个PR自动添加到特定的里程碑。 不幸的是,它不是很容易解释,因为milestone
选项不接受里程碑的标签,而是Github分配的标识符。 在我的特定情况下,里程碑的标签为3.3.0
,在配置文件中使用此值是合乎逻辑的,但是我只能使用9
因为它是该里程碑的ID (链接中的检查编号)。
All other options can be found in the official documentation.
所有其他选项可以在官方文档中找到。
Note that
versioning-strategy
has no effect for Gradle projects as of July 2020请注意,
versioning-strategy
2020年7月起,versioning-strategy
对Gradle项目无效
I believe that Dependabot might become an essential tool in the arsenal of Android developers in the community.
我相信Dependabot可能会成为社区中Android开发人员的必备工具。
I hope my guide will help keep more projects healthy and up to date.
我希望我的指南能帮助保持更多项目的健康和最新。
Don’t hesitate to give Dependabot a try and leave feedback so we could see it coming out of beta sooner!
不要犹豫,给Dependabot一个尝试,并留下反馈,以便我们可以更快地看到它脱离beta版本!
Additional resources:
其他资源:
Dependabot website: https://dependabot.com/
Dependabot网站: https : //dependabot.com/
Official guide on enabling/disabling automatic updates: https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates
启用/禁用自动更新的官方指南: https : //docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates
Dependabot core repo: https://github.com/dependabot/dependabot-core
Dependabot核心存储库: https : //github.com/dependabot/dependabot-core
gradle项目依赖项目