fix: handle invalid YAML in existing dependabot config gracefully#526
Merged
fix: handle invalid YAML in existing dependabot config gracefully#526
Conversation
…pendabot config Fixes #523 ## What Changed build_dependabot_file() to return None instead of re-raising when an existing dependabot config has invalid YAML (e.g., duplicate keys, indentation errors). Updated existing test expectations and added a new test for the duplicate key scenario reported in the issue. ## Why When a repository had an invalid dependabot.yml (such as a duplicate key), the YAML parse error crashed the entire program, preventing all remaining repositories from being processed. Returning None allows the caller's existing `if dependabot_file is None` check to skip the repo and continue. ## Notes - The error message is still printed via the existing `print(f"YAML indentation error: {e}")` so users can identify which repo has a broken config. - The second test at line 175 (indentation error) also changed from `assertRaises` to `assertIsNone` since it exercises the same code path. Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Moved the `if dependabot_file is None` check above the `yaml.dump()` call in `main()` so that None results skip immediately without writing `null` to `dependabot-output.yaml`. ## Why The previous ordering called `yaml.dump(None, yaml_file)` before checking for None, writing a `null` YAML literal to the debug artifact. This was a pre-existing issue for the "no package managers" path, but the YAML error handling change made it newly reachable via the error path. ## Notes - The YAML object and stream setup also moved below the guard since they're only needed when dependabot_file is not None. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
jm_handle_yaml_errors_gracefully
branch
from
9d80cc6 to
2b558c4
Compare
jmeridth
added
the
Mark Ready When Ready
github-actions
bot
removed
the
Mark Ready When Ready
zkoppert
reviewed
Mar 31, 2026
Collaborator
zkoppert
left a comment
zkoppert
left a comment
There was a problem hiding this comment.
Nice fix - the core approach of returning None instead of crashing is solid, and moving the None check before the yaml.dump calls is a good move.
Co-authored-by: Zack Koppert <zkoppert@github.com> Signed-off-by: Jason Meridth <jmeridth@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent the action from crashing when a repository’s existing dependabot.yml contains invalid YAML (e.g., indentation errors or duplicate keys), allowing processing to continue for subsequent repositories.
Changes:
- Update
build_dependabot_file()error handling for invalid existing Dependabot YAML and adjust expected behavior to returnNone. - Move the
dependabot_file is Noneearly-exit inevergreen.pyto occur before attempting to dump YAML output. - Update/extend unit tests to cover invalid YAML scenarios, including a duplicate-key case.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
dependabot_file.py |
Modifies YAML parse error handling when loading an existing Dependabot config. |
evergreen.py |
Moves the None check earlier to avoid dumping None as YAML output. |
test_dependabot_file.py |
Updates tests to expect None on invalid YAML and adds a duplicate-key regression test. |
…dler The UI merge of the error message suggestion accidentally replaced `return None` with the new print line, leaving two print statements and no early return. This caused UnboundLocalError on repos with invalid YAML configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
approved these changes
Mar 31, 2026
…s None ## What Change the print message from "No (new) compatible package manager found" to "Skipping repository" when `build_dependabot_file()` returns `None`. ## Why `build_dependabot_file()` now returns `None` for two distinct reasons: no compatible package managers found, and a YAML parse error. The old message was only accurate for the first case and misleading for the second. Since the YAML error is already printed just before this point, a generic message avoids false attribution. Signed-off-by: jmeridth <jmeridth@gmail.com>
Gaardsholt
approved these changes
Mar 31, 2026
Gaardsholt
left a comment
Gaardsholt
left a comment
There was a problem hiding this comment.
LGTM - I had similar approach in what I was playing around with locally, but I like your version better ;)
Collaborator
Author
Thank you for the review. I will be more aware next time when someone files an issue and ask them if they want to do the PR first. 🙇 |
Don't sweat it, as long as we find a solution for the issue at hand 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Proposed Changes
Fixes #523
What
Changed
build_dependabot_file()to returnNoneinstead of re-raising when an existing dependabot config has invalid YAML (e.g., duplicate keys, indentation errors). Updated existing test expectations and added a new test for the duplicate key scenario reported in the issue.Why
When a repository had an invalid
dependabot.yml(such as a duplicate key), the YAML parse error crashed the entire program, preventing all remaining repositories from being processed. ReturningNoneallows the caller's existingif dependabot_file is Nonecheck to skip the repo and continue to the next one.Notes
print(f"YAML indentation error: {e}")so users can identify which repo has a broken config.assertRaisestoassertIsNonesince it exercises the same code path.Testing
Nonereturn instead of raised exception.build_dependabot_file()returnsNone.Readiness Checklist
Author/Contributor
make lintand fix any issues that you have introducedmake testand ensure you have test coverage for the lines you are introducing