Currently is seems that when you require Codacy checks on a repo and also turn on Dependabot to automatically open PRs there is no way for Codacy to run on Dependabot PRs and no way to merge the PR when you have Codacy checks required. This is a major pain and makes Codacy less useful, or at the very least only an optional service so no enforcement on PRs made by actual developers.
Hi @f1_timnolte , Thanks for the amazing feedback!
Right now Codacy handles a bot like a normal user, so you can just add it to your org and all of the commits made by that email will be analyzed.
Please let me know if you have any trouble adding the bot to your org.
OK, I see about that. The thing that concerns me is that we have no control over what user any bots might be using, especially Dependabot, and it could possibly change at any time without notice. Also, there would then also be additional user costs for bots. I will probably just convert these projects over to GitHub Actions and drop Codacy since it’s looking to be cost prohibitive for us. Thanks!
I’m @tercio from the Codacy Product Management team.
We are aware of the current behaviour when bots are used, and we’re sorry for the problems it’s causing you.
Trying to build on top of this, can you help us understand your workflow and the need to have Dependabot PRs analyzed by Codacy?
@tercio so in actuality we don’t need GitHub Dependabot PR to be scanned via Codacy, however, we have Codacy setup as a required check that must pass in order for PR to be allowed to be merged. This has the affect that PRs opened by Dependabot can’t run/pass and thus we can’t merge in those PRs without doing additional work.
Any news regarding this problem?
I’m in the same situation as @f1_timnolte
We have the same problem. Static analysis runs, but a bot can’t upload coverage. I understand this is because of security measures in GitHub Actions, but I’ve used other coverage tools like Codecov, and they don’t require a token to submit coverage from popular CI solutions. Maybe you could implement something similar?
Screenshot of Codecov’s configuration:
The PR I see this happening on right now: build(deps): bump peter-evans/rebase from 1 to 2 by dependabot[bot] · Pull Request #10 · myparcelnl/pdk · GitHub
Hi @EdieLemoine, and welcome to the Codacy Community!
Regarding the specific issue that you’re having with running the Codacy Coverage Reporter on commits pushed by Dependabot, GitHub recently introduced encrypted secrets for Dependabot that let you overcome this. Please check the following docs:
Essentially, this is how it works:
- You can now store secrets at the repository and organization level that are accessible by Dependabot
- Using the same secret name as your existing “regular” secret allows jobs running for either regular contributors or Dependabot to access their respective secrets without you having to change the syntax of your GitHub Action workflow
Let us know if this works for you.
Thank you @paulo.ribeiro, that works!