UNPKG

@bugron/validate-dependabot-yaml

Version:

CLI for validating Dependabot v2 YAML configuration files

github.com/bugron/validate-dependabot-cli

bugron/validate-dependabot-cli

52 lines (35 loc) 2.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
This CLI tests the dependabot.yml against the [official v2 JSON schema](https://json.schemastore.org/dependabot-2.0.json). It does not detect ALL invalid dependabot files as dependabot has extra validation beyond the JSON schema. In addition to validating Dependabot configuration files against the schema, this tool also implements the following validations: - Directory/directories values must be unique and cannot overlap with the directory or directories entries in blocks that have the same ecosystem and target-branch. [Docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) - Ensures that dependency-type option is used with supported package ecosystems. [Docs](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-groups) - Ensures cooldown semver-major-days, semver-minor-days, semver-patch-days options are used with supported package ecosystems [Docs](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#configuration-of-cooldown) ## Why? If you get a validation error when editing your config, you won't know if there's a problem until the next dependabot runs. Even if the cycle is long and the alarm is not set, it may be detected much later. This CLI allows you to find some problems even before committing dependabot.yml. ## Usage ``` $ npx @bugron/validate-dependabot-yaml@latest --help CLI for validating Dependabot v2 YAML configuration files Usage $ npx @bugron/validate-dependabot-yaml [path] [path] Optional path to dependabot configuration file relative to current working directory (default: .github/dependabot.yml) Options --format, -f Logger type, either json or markdown (default: markdown) --pretty, -p Only used for json logger, prettifies JSON output Output Success: process exits with status 0, no output is logged Failure: process exits with status 1, JSON or Markdown formatted validation error messages are logged Examples $ npx @bugron/validate-dependabot-yaml $ npx @bugron/validate-dependabot-yaml config/dependabot.yaml $ npx @bugron/validate-dependabot-yaml .github/dependabot.yml --f=json --p $ npx @bugron/validate-dependabot-yaml .github/dependabot.yml --format=json --pretty $ npx @bugron/validate-dependabot-yaml .github/dependabot.yml --f=markdown $ npx @bugron/validate-dependabot-yaml .github/dependabot.yml --format=markdown ``` ## Test coverage The validation logic is tested on almost all cases/examples from the [official documentation](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) and more. ## Any problem? Feel free to report issues. 😃