This repository contains convenience tool(s) for updating dependencies in Azure DevOps repositories using Dependabot.
In this repository you'll find:
- Dependabot's Update script in Ruby.
- Dockerfile and build/image for running the script via Docker here.
- Azure DevOps Extension and source.
- Kubernetes CronJob template.
Similar to the GitHub native version where you add a .github/dependabot.yml
file, this repository adds support for the same official configuration options via a file located at .github/dependabot.yml
. This support is only available in the Azure DevOps extension and the managed version. However, the extension does not currently support automatically picking up the file, a pipeline is still required. See docs.
Using a configuration file over explicit inputs will not work with repositories other than the one in the pipeline. This means no shared pipeline. Instead consider the managed version.
Using .github/dependabot.yml
or .github/dependabot.yaml
instead of .azuredevops/dependabot.yml
is better for 2 reasons:
- Intellisense support in VS Code (and may be other IDEs).
- The docker container checks for the configuration file in this location to configure
commit-message
andignore
options.
Using the .azuredevops folder is deprecated and will be removed in version
0.11.0
.
Besides accessing the repository, sometimes, private feeds/registries may need to be accessed. For example a private NuGet feed or a company internal docker registry. Adding credentials is currently done via the DEPENDABOT_EXTRA_CREDENTIALS
environment variable. The value is supplied in JSON hence allowing any type of credentials even if they are not for private feeds/registries.
When working with Azure Artifacts, some extra steps need to be done:
- The PAT should have Packaging Read permission.
- The user owning the PAT must be granted permissions to access the feed either directly or via a group. An easy way for this is to give
Contributor
permissions the[{project_name}]\Contributors
group under theFeed Settings -> Permissions
page. The page has the url format:https://dev.azure.com/{organization}/{project}/_packaging?_a=settings&feed={feed-name}&view=permissions
.
A Kubernetes CronJobs is a useful resource for running tasks (a.k.a Jobs) on a recurring schedule. For more information on them read the documentation. Using the Docker image, we can create a CronJob and have it run periodically. The environment variables are supplied in the job template but can be stored in a ConfigMap for ease of reuse.
Use the template provided and replace the parameters in curly braces (e.g. replace {{azure_organization}}
with the actual value for your organization), then deploy it. Be sure to replace the {{k8s_schedule}}
variable with the desired schedule as per the Cron format.
- History for successful and failed jobs is restricted to 1 (change to suit you).
- Jobs are removed after 2 days (
ttlSecondsAfterFinished: 172800
). No need keep it for too long. - Jobs run duration is capped at 1 hour (
activeDeadlineSeconds: 3600
). This should be enough time. - Labels can be used to find cronjobs created.
- Annotations can be used to store extra data for comparison but not searching/finding e.g. package ecosystem.
The work in this repository is based on inspired and occasionally guided by some predecessors in the same area:
- Official Script support: code
- Andrew Craven's work: blog, code
- Chris' work: code
- andrcun's work on GitLab: code
- WeWork's work for GitLab: code
Please leave all comments, bugs, requests, and issues on the Issues page. We'll respond to your request ASAP!
The code is licensed under the MIT license. Refer to the LICENSE file for more information.