When managing a lot of repositories (e.g. > 100), working without Dependabot / Automerge is hard. But at the same time, there should be full control about the dependencies and which ones are allowed to auto-update.
The idea is:
- Use both public (NuGet) and a private feed for Dependabot so you get notified when a new version comes out
- When a version of a dependency comes out, the update can be verified. Once verified, it will be proxied into the private feed
- All dependencies in the private feed should be automatically merged (considered approved)
This way we will get the notifications on each repository, but once we approve the dependency and move it to the proxy, it should auto-merge on all repositories.
Has anyone achieved such workflow? I investigated dependabot/fetch-metadata but could not find information on how to get the "source registry" that hosts the dependency.