CODEWITHSUNDEEP
azureazure-devopsazure-pipelinesdependabotgithub-dependabot
Malasartes
Malasartes

Reputation: 1

How to Solve on Dependabot: Requirements to unlock update_not_possible

I am trying to implement dependabot on my Organization AZureDevOps Pipeline. We have multi repos. I am Using a script ps1 to distribute for all the repos the Github/dependabot.yaml file and the pipeline. But when testing dependabot in a repo, I have this situation and the PR's are not created:

Found 6 dependencies
 - akeyless-community/akeyless ()
 - azure/azapi ()
 - hashicorp/azurerm ()
 - hashicorp/tls ()
 - tchupp/env ()
https://dev.azure.com/hugoboss/TerraformModule/_apis/git/repositories/hb_az_virtual_machine
šŸŒ --> GET 
šŸŒ <-- 200 
Requirements to unlock update_not_possible
Requirements update strategy #<Dependabot::RequirementsUpdateStrategy::BumpVersionsIfNecessary>
Checking if hashicorp/azurerm  needs updating
....

Upvotes: 0

Views: 546

Answers (1)

Bright Ran-MSFT
Bright Ran-MSFT

Reputation: 14074

According to my further research and study, I found that the message "Requirements to unlock update_not_possible" is not an issue/error, it just means the dependency does not need updating.

When running Dependabot, it will always go to check to package manifests files from the default branch of the repository regardless of which branch the pipeline is running for.

For example:

  1. If I set the required_providers in the providers.tf file like as below in the default branch.

    terraform {
  required_version = ">=1.0"

  required_providers {
    akeyless = {
      source = "akeyless-community/akeyless"
      version = ">=1.3.0"
    }

    . . .
  }
}

    When running Dependabot, it will always return the message "Requirements to unlock update_not_possible". Because the current latest version 1.7.0 and subsequent new versions can always match the range specified by the pattern ">=1.3.0", so no version update needed.

    enter image description here

  2. If I set the required_providers in the providers.tf file like as below in the default branch.

    terraform {
  required_version = ">=1.0"

  required_providers {
    akeyless = {
      source = "akeyless-community/akeyless"
      version = "1.3.0"
    }

    . . .
  }
}

    When running Dependabot, as long as there is a new version higher that specified by the pattern "1.3.0", it will automatically create a branch and a pull request to update the pattern from "1.3.0" to the current latest version (for example, current "1.7.0").

    enter image description here

    enter image description here

To let the pipeline can automatically create the branch and pull request, you can configure like as below:

  1. In the Security hub of the repository, you need to set the following permissions to 'Allow' for identities "Project Collection Build Service ({Organization Name})" and "{Project Name} Build Service ({Organization Name})":

    • Contribute
    • Contribute to pull requests
    • Create branch
    • Force push

    enter image description here

  2. Sample of the .github/dependabot.yml as reference.

    # .github/dependabot.yml

version: 2
updates:
- package-ecosystem: "terraform"
  directory: "/"
  schedule:
    interval: "weekly"
  open-pull-requests-limit: 10

  3. Sample of pipeline as reference.

    # azure-pipelines.yml

. . .

steps:
- task: dependabot@1
  displayName: 'Run Dependabot'

  4. Result: See above screenshots.

Upvotes: 0

Related Questions