We use both Dependabot and CLA Assistant on one of our projects. It's an easy setting in CLA Assistant to whitelist Dependabot, although it did catch us out in the beginning.
I don't actually want to allow dependabot. The reason is then Dependabot becomes a contributor, but it didn't sign the CLA. I think that's a problem. I don't want issues with my code ownership or my company's!
Running a bot against your repository doesn’t make the bot a contributor. Does running an autoformatter against your code make the formatter a contributor? Does github making the merge commit on a PR make github a contributor?
This is just a repo with two bots turned on. Really confused why people are upvoting it.
It actually does. You can see dependabot listed in the contributors when a project accepts its contributions. I think the legal ramifications of this are significantly unadjudicated as to be concerning. In affect, you’ve made GitHub a contributor to your project so now Github has some ownership possibly and I don’t want anyone being a contributor without signing the CLA for my business critical projects.
I understand if you’re not concerned about this for your own projects, but I feel differently. Hope you can respect that.
To explain why people are voting it: I think it’s kind of a funny situation where you have these two bots and they’re both supposed to be helpful but the bots don’t actually cooperate with each other like the dependabot doesn’t sign the CLA I think it’s quite funny.
I understand if you don’t find funny, no worries! I guess other people appreciate it too. It’s OK if you don’t! The world is the diverse place. Hope you have a good day :)
One difference with your example is the use of the structure of collaboration of open source development.
BTW - nice username, you actually work there?