Ask questionsBazel support?
Hi there - we use bazel within our multi-product repos. It would be great to have dependabot understand and integrate with that?
Broadly, bazel is a cross-platform and cross-language build system. It wants one to specify all external dependencies within a
WORKSPACE file within the root of the repo (with plans I think to allow
WORKSPACE files, plural, within the repo).
WORKSPACE file can take dependencies as follows:
A great first addition would be to handle the
http_archive dependency rules, since mostly these target github sha1s or tags.
I don't know which language dependabot itself is written in, but there is a Starlark parser in golang if it happens to be go.
Answer questions rkhir
there is a Starlark parser in golang if it happens to be go.
It might be worth pointing out that Skylark is a subset of Python 3 as that might simplify parsing of the
I have a Bazel project where I'm interested in enabling dependabot. I considered 1) writing a script that generate a
WORKSPACEfile to hack around the lack of support and 2) adding a CI check that make sure that the
pom.xmlfile is synced with
WORKSPACE. This would obviously mean that no submitted pull requests by dependabot would work, but at least we'd know of security issues. Maybe too hacky, haven't decided...
@JensRantil, great Idea. although Bazel does support the
pom.xml generation part of this rule the file can be synced on each
bazel build ... command, which will save the implementer a few steps. 🍻