Pages

Saturday 4 December 2021

Dependabot

 About

Github has a built-in bot which scans our repository and finds out the outdated dependencies. Then it will raise a merge request to bump up that dependency to latest known version. The maintainers can then decide to go with that version or not. 

https://github.com/dependabot

For Gitlab

I was using Gitlab for a while and was searching for similar cool feature there and found this.

https://github.com/dependabot/dependabot-script

The doc says it supports Gitlab, Azure Devops and Bitbucket as well.


For my personal project in Gitlab I built the docker image from src and then ran it against my Gitlab instance.


  • Build the dependabot-script Docker image
git clone https://github.com/dependabot/dependabot-script.git 
cd dependabot-script
docker build -t "dependabot/dependabot-script" -f Dockerfile .

  • Run the docker container

docker run --rm -e "PROJECT_PATH=my-project-group/my-repo" -e "PACKAGE_MANAGER=maven" -e "BRANCH=dependabot/test" -e "PULL_REQUEST_ASSIGNEE=29944" -e "GITLAB_ACCESS_TOKEN=xxxxxxPjkfiaQd3xcYsi" -e "GITLAB_HOSTNAME=gitlab.mydomain.com" "dependabot/dependabot-script"


With proxy env

docker run --rm -e "PROJECT_PATH=my-project-group/my-repo" -e "PACKAGE_MANAGER=maven" -e "BRANCH=develop" -e "PULL_REQUEST_ASSIGNEE=29944" -e "GITLAB_ACCESS_TOKEN=xxxxxxxjkfiaQd3xcYsi" -e "GITLAB_HOSTNAME=gitlab.mydomain.com" -e "HTTPS_PROXY=http://www-proxy.mydomain.com:80" -e "HTTP_PROXY=http://www-proxy.mydomain.com:80" -e "http_proxy=http://www-proxymydomain.com:80" -e "https_proxy=http://www-proxy.mydomain.com:80"  -e "NO_PROXY=mydomain2.com,localhost" "dependabot/dependabot-script"


gitlab-ci.yml

Using the above dependabot-script image  as the base-image, we can also create scheduled pipeline in Gitlab.

Example gitlab-ci.yml file here.

image: docker.mydomain.com/external/dependabot/dependabot-script:latest

variables:
  GITLAB_HOSTNAME: gitlab.mydomain.com  

stages:
  - run

dependabot-trigger:
  stage: run
  tags:
    - vm
  script:
    - cd /home/dependabot/dependabot-script
    - bundle exec ruby ./generic-update-script.rb


Other variables could be added to pipeline as vars while scheduling the job.
  • PROJECT_PATH:
    • eg:  my-project-group/my-repo
  • PACKAGE_MANAGER:
    • eg: maven
  • BRANCH:
    • Branch to scan
  • PULL_REQUEST_ASSIGNEE:
    • Integer ID of the user to assign. This can be found at link like:
    •  "gitlab.mydomain.com/api/v4/users?username="
  • GITLAB_ACCESS_TOKEN:
    • Gitlab API access token
  • GITHUB_ACCESS_TOKEN:
    • private Github token




    Posted by at
    Labels: , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)