Add exclude-paths option to dependabot.yml

[dnlfm]

This PR adds the possibility of specifying exclude-paths in dependabot.yml.

It's a very old issue, and I decided to give a first stab: #4364

End-to-end tests may be required to validate the solution. Unit tests are in place.

Example of dependabot.yml with the new option:

version: 2
updates:
  - package-ecosystem: "npm_and_yarn"
    directory: "/"
    schedule:
      interval: "daily"
    exclude-paths:
      - "src/test/assets"
      - "vendor/**"
      - "src/*.rb"
      - "src/test/helper.rb"

[randhircs]

@dnlfm You may like to fix the specs which are failing.

[dnlfm]

@dnlfm You may like to fix the specs which are failing.

@randhircs I'm sorry but why did you force push, rewriting previous commits?

The failing spec is not related to the changes in this PR:

It seems this issue appeared after your commit. Force-pushes should be avoided, it may have modified something that it is hard to know what it is, as it may have rewritten the git tree. The Specs / ci was fine before this happened: https://github.com/dependabot/dependabot-core/actions/runs/16314785084/job/46077982547

[randhircs]

@dnlfm You may like to fix the specs which are failing.

@randhircs I'm sorry but why did you force push, rewriting previous commits?

The failing spec is not related to the changes in this PR:

It seems this issue appeared after your commit. Force-pushes should be avoided, it may have modified something that it is hard to know what it is, as it may have rewritten the git tree. The Specs / ci was fine before this happened: https://github.com/dependabot/dependabot-core/actions/runs/16314785084/job/46077982547

@dnlfm I had to rebase to proceed to check if all specs are passing. I am sure sorbet fix is something you can check from your end.

[randhircs]

@dnlfm Again now, I am checking by rebasing it to see if all specs are good. i feel that you may like to fix the sorbet issue.

[dnlfm]

@dnlfm Again now, I am checking by rebasing it to see if all specs are good. i feel that you may like to fix the sorbet issue.

Hi @randhircs,
I see "Sorbet" was added to this project but not really added to the files, i.e. not completely rolled out it seems. For example,

Checking updater/lib/dependabot/file_fetcher_command.rb for Sorbet typing...
No Sorbet typing found at the top of updater/lib/dependabot/file_fetcher_command.rb

The file file_fetcher_command.rb wasn't added by me, and it contains this error for Sorbet typing.
I would like you to check that, as it is something that was not added in this PR. Another PR that I saw where Sorbet is failing but didn't add the file is: #12589 where the file uv/lib/dependabot/uv/file_fetcher.rb originally didn't have the Sorbet typing, confirming that it is something in the project that wasn't rolled out well.

I would like to also ask you to remove the need of Sorbet typing in test files, as I added # typed: ignore, it is still requiring to use strict or strong, but again, it doesn't make sense to have it in test files.

I would prefer to not have to check these Sorbet issues by myself.

[kbukum1]

@dnlfm Again now, I am checking by rebasing it to see if all specs are good. i feel that you may like to fix the sorbet issue.

Hi @randhircs, I see "Sorbet" was added to this project but not really added to the files, i.e. not completely rolled out it seems. For example,

Checking updater/lib/dependabot/file_fetcher_command.rb for Sorbet typing...
No Sorbet typing found at the top of updater/lib/dependabot/file_fetcher_command.rb

The file file_fetcher_command.rb wasn't added by me, and it contains this error for Sorbet typing. I would like you to check that, as it is something that was not added in this PR. Another PR that I saw where Sorbet is failing but didn't add the file is: #12589 where the file uv/lib/dependabot/uv/file_fetcher.rb originally didn't have the Sorbet typing, confirming that it is something in the project that wasn't rolled out well.

I would like to also ask you to remove the need of Sorbet typing in test files, as I added # typed: ignore, it is still requiring to use strict or strong, but again, it doesn't make sense to have it in test files.

I would prefer to not have to check these Sorbet issues by myself.

@dnlfm — We actually added full Sorbet type checks later on. However, files without proper Sorbet typings won’t be caught by the pipeline unless they’re modified. Once someone touches such a file, it becomes a requirement to fully type it, with the goal of gradually achieving complete Sorbet coverage.

If you're able to add the Sorbet typings here, that would be great. But if it feels like too much, @randhircs can help with that. Thanks again for your contribution!

@randhircs — You might be able to help here. Also, if you're planning to push additional commits, please avoid force-pushing, as we’d like to retain @dnlfm’s original commit.

[dnlfm]

@dnlfm Again now, I am checking by rebasing it to see if all specs are good. i feel that you may like to fix the sorbet issue.

Hi @randhircs, I see "Sorbet" was added to this project but not really added to the files, i.e. not completely rolled out it seems. For example,

Checking updater/lib/dependabot/file_fetcher_command.rb for Sorbet typing...
No Sorbet typing found at the top of updater/lib/dependabot/file_fetcher_command.rb

The file file_fetcher_command.rb wasn't added by me, and it contains this error for Sorbet typing. I would like you to check that, as it is something that was not added in this PR. Another PR that I saw where Sorbet is failing but didn't add the file is: #12589 where the file uv/lib/dependabot/uv/file_fetcher.rb originally didn't have the Sorbet typing, confirming that it is something in the project that wasn't rolled out well.
I would like to also ask you to remove the need of Sorbet typing in test files, as I added # typed: ignore, it is still requiring to use strict or strong, but again, it doesn't make sense to have it in test files.
I would prefer to not have to check these Sorbet issues by myself.

@dnlfm — We actually added full Sorbet type checks later on. However, files without proper Sorbet typings won’t be caught by the pipeline unless they’re modified. Once someone touches such a file, it becomes a requirement to fully type it, with the goal of gradually achieving complete Sorbet coverage.

If you're able to add the Sorbet typings here, that would be great. But if it feels like too much, @randhircs can help with that. Thanks again for your contribution!

@randhircs — You might be able to help here. Also, if you're planning to push additional commits, please avoid force-pushing, as we’d like to retain @dnlfm’s original commit.

Hi @kbukum1,

Thank you for your response.

it becomes a requirement to fully type it, with the goal of gradually achieving complete Sorbet coverage

I suspected that could be the case, but I would encourage a different approach: I would suggest that the team responsible for adding Sorbet could map the files that they need to go through and address each one of them, let's say, 40 files a week, prioritizing the ones in PRs that are already open. This way, PRs will have isolated changes, i.e. the PRs won't be touching something that is not meaningful to their changes, and thus making the code review process better.

Also, I would really appreciate if a code review is done on what I have done. I looked at my PR once again today, and I started wondering if what I have done will work for all kind of repositories or if there is something missing, for instance:

• I added the exclusion logic to _fetch_repo_contents and _cloned_repo_contents, covering the flow for repo_contents in the Base implementation of a FileFetcher. However, I noticed that the FileFetcher implementations also implements their own fetch_files.
  I'm not very familiar with the whole flow, but I assumed that they would use repo_contents at some point and I believe it may cover what we want to achieve with these changes. But maybe someone with more knowledge of the codebase or that is able to make a E2E test can tell me if there's any issue or something else missing, and then we can continue from there. Thanks in advance!

[AbhishekBhaskar]

@dnlfm, Also, we are planning on releasing this as a new feature. With regards to this, we would need to add a feature flag which when enabled, these changes would be in effect. I will be creating the feature flag shortly. Please let me know if you prefer adding the feature flag, which I can share with you, in the code or I can push those changes myself to the same PR. Thanks!

[dnlfm]

@dnlfm, Also, we are planning on releasing this as a new feature. With regards to this, we would need to add a feature flag which when enabled, these changes would be in effect. I will be creating the feature flag shortly. Please let me know if you prefer adding the feature flag, which I can share with you, in the code or I can push those changes myself to the same PR. Thanks!

Hi @AbhishekBhaskar, that's great and thank you for asking! Please feel free to push the changes directly to this PR.

[dnlfm]

@dnlfm We have provided fix for sorbet. You may like to resolve the conflict.

Thank you, @randhircs, fixed it.

[mtrackeros]

This PR adds the possibility of specifying exclude-paths in dependabot.yml.

It's a very old issue, and I decided to give a first stab: #4364

End-to-end tests may be required to validate the solution. Unit tests are in place.

Example of dependabot.yml with the new option:

version: 2
updates:
  - package-ecosystem: "npm_and_yarn"
    directory: "/"
    schedule:
      interval: "daily"
    exclude-paths:
      - "src/test/assets"
      - "vendor/**"
      - "src/*.rb"
      - "src/test/helper.rb"

[randhircs]

LGTM.

[randhircs]

Please avoid using disabling rubocop.

[randhircs]

@AbhishekBhaskar Could you try removing the RuboCop:disable

[randhircs]

You may create new method and remove this # rubocop:disable.

[randhircs]

Try to split method to limit the method size.