GitHub中用于.NET Core依赖项跟踪的Dependabot
I've been exploring automated dependency tracking lately. I usually use my podcast's ASP.NET Core website that I host on Github as a guinea pig. I tried Nukeeper and the dotnet outdated global tool - both of which are fantastic and worth exploring.
最近,我一直在探索自动化的依赖跟踪。 我通常使用在Github上作为豚鼠托管的播客的ASP.NET Core网站。 我尝试了Nukeeper和dotnet过时的全局工具-两者都很棒,值得探索。
This week I'm trying Dependbot. I have no relationship with this company. Public repos and personal account repos are free and their pricing is very clear and organization accounts start at just $15 with a free trial.
这周我正在尝试Dependbot 。 我和这家公司没有关系。 公共回购和个人帐户回购是免费的,定价非常明确,组织帐户的起价仅为15美元,并提供免费试用。
I'm really impressed with how clever Dependabot is. It's almost like a person in its behavior. Yes, I realize that's kind of the point, but it's no less surprising to see. A well-written bot is a joy to behold.
我对Dependabot的聪明程度印象深刻。 它的行为几乎就像一个人。 是的,我知道这是重点,但是看到它也同样令人惊讶。 一个写得很好的机器人值得一看。
For example, here is a PR (Pull Request) where Dependbot says "Bumps Microsoft.ApplicationInsights.AspNetCore from 2.5.0-beta1 to 2.5.0-beta2."
例如,这是一个PR(拉请求),其中Dependbot说“将Microsoft.ApplicationInsights.AspNetCore从2.5.0-beta1升级到2.5.0-beta2”。
Basic stuff, right? But that's not all.
基本的东西,对不对? 但这还不是全部。
It not only does the basics where it noticed that a version bump occurred in a NuGet package, but it also copied the release notes from that NuGet package's release on GitHub! It included links to what was fixed between versions, links to the change logs, AND a complete linked commit list. I mean, that's just lovely.
它不仅发现了NuGet软件包中发生版本颠簸的基础知识,而且还复制了该NuGet软件包在GitHub上的发行说明! 它包括版本之间固定的链接,更改日志的链接以及完整的链接提交列表。 我的意思是,这很可爱。
A few days later, Dependabot went and closed the PR because the dependancy had updated (I was slow) then it commented telling me this PR was superseded by another.
几天后,Dependabot去了,关闭了PR,因为依赖关系已更新(我很慢),然后它评论告诉我此PR被另一个PR所取代。
Dependabot, like any good bot, also includes commands you can send to it via "Chats" in GitHub PR comments. You can tell it to use specific labels, control milestones. You can also control behavior in the Dependabot Dashboard and have it automerge things like minor versions, or just lock things down to security-only updates.
像其他优秀的bot一样,Dependabot也包含可通过GitHub PR注释中的“聊天”发送给它的命令。 您可以告诉它使用特定的标签,控制里程碑。 您还可以在Dependabot仪表板中控制行为,使其自动合并次要版本,或者仅将其锁定为仅安全更新。
All in all, it's a very smart bot that supports basically all the languages. .NET support is in Beta, but I haven't had any issues with it. You should definitely check it out. And let me tell you, once you've got everything automated you'll wonder how you ever managed before.
总而言之,这是一个非常智能的机器人,基本上支持所有语言。 .NET支持处于Beta中,但我没有任何问题。 您一定要检查一下。 而且,我要告诉您,一旦一切自动化,您就会想知道以前的管理方式。
Sponsor: Check out the latest JetBrains Rider with built-in spell checking, enhanced debugger, Docker support, full C# 7.3 support, publishing to IIS and more advanced Unity support.
赞助商:使用内置的拼写检查,增强的调试器,Docker支持,完整的C#7.3支持,发布到IIS和更高级的Unity支持,查看最新的JetBrains Rider 。
关于斯科特 (About Scott)
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
斯科特·汉塞尔曼(Scott Hanselman)是前教授,前金融首席架构师,现在是演讲者,顾问,父亲,糖尿病患者和Microsoft员工。 他是一位失败的单口相声漫画家,一个玉米种植者和一本书的作者。
翻译自: https://www.hanselman.com/blog/dependabot-for-net-core-dependency-tracking-in-github