pass job file path to analyze command

[brettfo]

The discover and update NuGet tool commands both have a --job-path argument so that the current set of experiments can be parsed.

This PR adds the same behavior to the analyze command. We don't yet need the experiments for this command, but we will soon so this is front loading some of the work.

[andrcuns]

@brettfo This seems to break the ability to use dependabot-core nuget updater as a standalone outside of GitHub given it now depends on DEPENDABOT_JOB_PATH which if I understand correctly is a path to json file that only GitHub instrumentation inserts (it probably got broken even earlier when --job-path argument was added but this will most likely raise an error earlier directly from ruby code now rather than from within the native helpers).

Would you be able to advise if the team still plans to support a usecase for dependabot-core to be usable as a standalone library or it is not a priority anymore?

[brettfo]

Going forward we're trying to only use dependabot through the CLI which uses the proxy image to handle authentication. The reason is that we'd otherwise have to maintain two versions of the code that handles authentication and since the official implementation uses the CLI and proxy, that's the easiest route for us to follow.

[andrcuns]

Going forward we're trying to only use dependabot through the CLI which uses the proxy image to handle authentication. The reason is that we'd otherwise have to maintain two versions of the code that handles authentication and since the official implementation uses the CLI and proxy, that's the easiest route for us to follow.

@brettfo I haven't looked in to CLI, is it usable outside GitHub's ecosystem?

edit:

Never mind, I see from the README that it is. Thanks for your response.

[brettfo]

@andrcuns One method to run it locally would be to use the CLI that you found with the following setup:

• job.yml with the appropriate data. The CLI repo has an example in the README.
• If you don't want to have to clone the repo you can pass the arguments --local C:\path\to\repo and the files will be zipped and injected into the updater container.
• Specify an output file on the command line to get a helpful YAML file that describes the operations performed.

As an example, you might invoke it with: dependabot update -f job.yml -o result.yml --local C:\path\to\repo and that would run it from local files. The result file looks like this. The relevant parts are under output where type is create_pull_request.

[andrcuns]

@brettfo Thanks for the example.

My main problem is that I maintain what now is a fairly complex rails app that implements instrumentation around dependabot-core and allows to have a stateful service for managing dependency updates for GitLab.

It actually looks like I could update it to use the CLI and save myself a ton of headache when trying to follow along all the changes in core, it looks like the output actually provides most of the data I would need. The main issue is that it's a cloud native app with ability to deploy to k8s cluster. Not sure how to run the cli in that scenario 😄

Anyhow, thanks for the response, at least now I know general direction core is going.