Skip to content

pheeblyboos/dependabot-azure-devops

 
 

Repository files navigation

Dependabot for Azure DevOps

This repository contains tools for updating dependencies in Azure DevOps repositories using Dependabot.

GitHub Workflow Status Release license

In this repository you'll find:

  1. Dependabot updater in Ruby. See docs.
  2. Dockerfile and build/image for running the updater via Docker here.
  3. Dependabot server in .NET/C#. See docs.
  4. Azure DevOps Extension and source.
  5. Kubernetes CronJob template.

Using a configuration file

Similar to the GitHub native version where you add a .github/dependabot.yml file, this repository adds support for the same official configuration options via a file located at .github/dependabot.yml. This support is only available in the Azure DevOps extension and the managed version. However, the extension does not currently support automatically picking up the file, a pipeline is still required. See docs.

We are well aware that ignore conditions are not explicitly passed and passed on from the extension/server to the container. It is intentional. The ruby script in the docker container does it automatically. If you are having issues, search for related issues such as tinglesoftware#582 before creating a new issue. You can also test against various reproductions such as https://dev.azure.com/tingle/dependabot/_git/repro-582

Credentials for private registries and feeds

Besides accessing the repository only, sometimes private feeds/registries may need to be accessed. For example a private NuGet feed or a company internal docker registry.

Adding configuration options for private registries is setup in dependabot.yml according to the dependabot description.

Example:

version: 2
registries:
  my-Extern@Release:
    type: nuget-feed
    url: https://dev.azure.com/organization1/_packaging/my-Extern@Release/nuget/v3/index.json
    token: PAT:${{MY_DEPENDABOT_ADO_PAT}}
  my-analyzers:
    type: nuget-feed
    url: https://dev.azure.com/organization2/_packaging/my-analyzers/nuget/v3/index.json
    token: PAT:${{ANOTHER_PAT}}
  artifactory:
    type: nuget-feed
    url: https://artifactory.com/api/nuget/v3/myfeed
    token: PAT:${{DEPENDABOT_ARTIFACTORY_PAT}}
updates:
...

Note:

  1. ${{VARIABLE_NAME}} notation is used liked described here BUT the values will be used from Environment Variables in the pipeline/environment. Template variables are not supported for this replacement. Replacement only works for values considered secret in the registries section i.e. password, token, and key

  2. When using a token the notation should be PAT:${{VARIABLE_NAME}}. Otherwise the wrong authentication mechanism is used by dependabot, see here.

When working with Azure Artifacts, some extra permission steps need to be done:

  1. The PAT should have Packaging Read permission.
  2. The user owning the PAT must be granted permissions to access the feed either directly or via a group. An easy way for this is to give Contributor permissions the [{project_name}]\Contributors group under the Feed Settings -> Permissions page. The page has the url format: https://dev.azure.com/{organization}/{project}/_packaging?_a=settings&feed={feed-name}&view=permissions.

Security Advisories, Vulnerabilities, and Updates

Security-only updates ia a mechanism to only create pull requests for dependencies with vulnerabilities by updating them to the earliest available non-vulnerable version. Security updates are supported in the same way as the GitHub-hosted version. In addition, you can provide extra advisories, such as those for an internal dependency, in a JSON file via the securityAdvisoriesFile input e.g. securityAdvisoriesFile: '$(Pipeline.Workspace)/advisories.json'. A file example is available here.

A GitHub access token with public_repo access is required to perform the GitHub GraphQL for securityVulnerabilities.

Kubernetes CronJob

A Kubernetes CronJobs is a useful resource for running tasks (a.k.a Jobs) on a recurring schedule. For more information on them read the documentation. Using the updater docker image, we can create a CronJob and have it run periodically. The environment variables are supplied in the job template but can be stored in a ConfigMap for ease of reuse.

Use the template provided and replace the parameters in curly braces (e.g. replace {{azure_organization}} with the actual value for your organization), then deploy it. Be sure to replace the {{k8s_schedule}} variable with the desired schedule as per the Cron format.

Notes

  1. History for successful and failed jobs is restricted to 1 (change to suit you).
  2. Jobs are removed after 2 days (ttlSecondsAfterFinished: 172800). No need keep it for too long.
  3. Jobs run duration is capped at 1 hour (activeDeadlineSeconds: 3600). This should be enough time.
  4. Labels can be used to find cronjobs created.
  5. Annotations can be used to store extra data for comparison but not searching/finding e.g. package ecosystem.

Acknowledgements

The work in this repository is based on inspired and occasionally guided by some predecessors in the same area:

  1. Official Script support: code
  2. Andrew Craven's work: blog, code
  3. Chris' work: code
  4. andrcun's work on GitLab: code
  5. WeWork's work for GitLab: code

Issues & Comments

Please leave all comments, bugs, requests, and issues on the Issues page. We'll respond to your request ASAP!

About

Tools for updating dependencies in Azure DevOps repositories using https://dependabot.com

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C# 61.1%
  • Ruby 17.4%
  • TypeScript 16.0%
  • Bicep 4.7%
  • Other 0.8%