First, you need to pull the docker image locally to your machine:
docker pull ghcr.io/tinglesoftware/dependabot-updater
Next create and run a container from the image:
docker run --rm -t \
-e GITHUB_ACCESS_TOKEN=<your-github-token-here> \
-e DEPENDABOT_PACKAGE_MANAGER=<your-package-manager-here> \
-e DEPENDABOT_DIRECTORY=/ \
-e DEPENDABOT_TARGET_BRANCH=<your-target-branch> \
-e DEPENDABOT_VERSIONING_STRATEGY=<your-versioning-strategy> \
-e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
-e DEPENDABOT_EXTRA_CREDENTIALS=<your-extra-credentials> \
-e DEPENDABOT_ALLOW_CONDITIONS=<your-allowed-packages> \
-e DEPENDABOT_BRANCH_NAME_SEPARATOR=<your-custom-separator> \
-e DEPENDABOT_MILESTONE=<your-work-item-id> \
-e DEPENDABOT_UPDATER_OPTIONS=<your-updater-options> \
-e AZURE_PROTOCOL=<your-azure-devops-installation-transport-protocol> \
-e AZURE_HOSTNAME=<your-azure-devops-installation-hostname> \
-e AZURE_PORT=<your-azure-devops-installation-port> \
-e AZURE_VIRTUAL_DIRECTORY=<your-azure-devops-installation-virtual-directory> \
-e AZURE_ACCESS_TOKEN=<your-devops-token-here> \
-e AZURE_ORGANIZATION=<your-organization-here> \
-e AZURE_PROJECT=<your-project-here> \
-e AZURE_REPOSITORY=<your-repository-here> \
-e AZURE_SET_AUTO_COMPLETE=<true/false> \
-e AZURE_AUTO_APPROVE_PR=<true/false> \
-e AZURE_AUTO_APPROVE_USER_TOKEN=<approving-user-token-here> \
ghcr.io/tinglesoftware/dependabot-updater
An example, for Azure DevOps Services:
docker run --rm -t \
-e GITHUB_ACCESS_TOKEN=ijkl..mnop \
-e DEPENDABOT_PACKAGE_MANAGER=nuget \
-e DEPENDABOT_DIRECTORY=/ \
-e DEPENDABOT_TARGET_BRANCH=main \
-e DEPENDABOT_VERSIONING_STRATEGY=auto \
-e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
-e DEPENDABOT_EXTRA_CREDENTIALS='[{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}]' \
-e DEPENDABOT_ALLOW_CONDITIONS='[{"dependency-name":"django*","dependency-type":"direct"}]' \
-e DEPENDABOT_BRANCH_NAME_SEPARATOR='/' \
-e DEPENDABOT_MILESTONE=123 \
-e DEPENDABOT_UPDATER_OPTIONS='goprivate=true,kubernetes_updates=true' \
-e AZURE_HOSTNAME=dev.azure.com \
-e AZURE_ACCESS_TOKEN=abcd..efgh \
-e AZURE_ORGANIZATION=tinglesoftware \
-e AZURE_PROJECT=oss \
-e AZURE_REPOSITORY=repro-411 \
-e AZURE_SET_AUTO_COMPLETE=true \
-e AZURE_AUTO_APPROVE_PR=true \
-e AZURE_AUTO_APPROVE_USER_TOKEN=ijkl..mnop \
ghcr.io/tinglesoftware/dependabot-updater
An example, for Azure DevOps Server:
docker run --rm -t \
-e GITHUB_ACCESS_TOKEN=ijkl..mnop \
-e DEPENDABOT_PACKAGE_MANAGER=nuget \
-e DEPENDABOT_DIRECTORY=/ \
-e DEPENDABOT_TARGET_BRANCH=main \
-e DEPENDABOT_VERSIONING_STRATEGY=auto \
-e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
-e DEPENDABOT_EXTRA_CREDENTIALS='[{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}]' \
-e DEPENDABOT_ALLOW_CONDITIONS='[{"dependency-name":"django*","dependency-type":"direct"}]' \
-e DEPENDABOT_BRANCH_NAME_SEPARATOR='/' \
-e DEPENDABOT_MILESTONE=123 \
-e DEPENDABOT_UPDATER_OPTIONS='goprivate=true,kubernetes_updates=true' \
-e AZURE_PROTOCOL=http \
-e AZURE_HOSTNAME=my-devops.com \
-e AZURE_PORT=8080 \
-e AZURE_VIRTUAL_DIRECTORY=tfs \
-e AZURE_ACCESS_TOKEN=abcd..efgh \
-e AZURE_ORGANIZATION=tinglesoftware \
-e AZURE_PROJECT=oss \
-e AZURE_REPOSITORY=repro-411 \
-e AZURE_SET_AUTO_COMPLETE=true \
-e AZURE_AUTO_APPROVE_PR=true \
-e AZURE_AUTO_APPROVE_USER_TOKEN=ijkl..mnop \
ghcr.io/tinglesoftware/dependabot-updater
To run the script, some environment variables are required.
Variable Name | Description |
---|---|
GITHUB_ACCESS_TOKEN | Optional. The GitHub token (classic) for authenticating requests against GitHub public repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the documentation for more on Personal Access Tokens. |
DEPENDABOT_PACKAGE_MANAGER | Required. The type of packages to check for dependency upgrades. Examples: nuget , maven , gradle , npm_and_yarn , etc. See the updated-script or docs for more. |
DEPENDABOT_DIRECTORY | Optional. The directory in which dependencies are to be checked. When not specified, the root of the repository (denoted as '/') is used. |
DEPENDABOT_TARGET_BRANCH | Optional. The branch to be targeted when creating a pull request. When not specified, Dependabot will resolve the default branch of the repository. |
DEPENDABOT_VERSIONING_STRATEGY | Optional. The versioning strategy to use. See official docs for the allowed values |
DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT | Optional. The maximum number of open pull requests to have at any one time. Defaults to 5. Setting to 0 implies security only updates. |
DEPENDABOT_EXTRA_CREDENTIALS | Optional. The extra credentials in JSON format. Extra credentials can be used to access private NuGet feeds, docker registries, maven repositories, etc. For example a private registry authentication (For example FontAwesome Pro: [{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}] ) |
DEPENDABOT_ALLOW_CONDITIONS | Optional. The dependencies whose updates are allowed, in JSON format. This can be used to control which packages can be updated. For example: [{\"dependency-name\":"django*",\"dependency-type\":\"direct\"}] . See official docs for more. |
DEPENDABOT_IGNORE_CONDITIONS | Optional. The dependencies to be ignored, in JSON format. This can be used to control which packages can be updated. For example: [{\"dependency-name\":\"express\",\"versions\":[\"4.x\",\"5.x\"]}] . See official docs for more.We do not pass this ENV by default from the extension/server to the container. It is intentional. The ruby script in the docker container does it automatically. Only use it if you want to override what is in the configuration file and you are comfortable with the untidiness. If you are having issues search for related issues such as tinglesoftware#582 before creating a new issue. You can also test against various reproductions such as https://dev.azure.com/tingle/dependabot/_git/repro-582 |
DEPENDABOT_LABELS | Optional. The custom labels to be used, in JSON format. This can be used to override the default values. For example: [\"npm dependencies\",\"triage-board\"] . See official docs for more. |
DEPENDABOT_REVIEWERS | Optional. The identifiers of the users to review the pull requests, in JSON format. These shall be added as optional approvers. For example: [\"23d9f23d-981e-4a0c-a975-8e5c665914ec\",\"62b67ef1-58e9-4be9-83d3-690a6fc67d6b\"] . |
DEPENDABOT_ASSIGNEES | Optional. The identifiers of the users to be assigned to the pull requests, in JSON format. These shall be added as required approvers. For example: [\"be9321e2-f404-4ffa-8d6b-44efddb04865\"] . |
DEPENDABOT_BRANCH_NAME_SEPARATOR | Optional. The separator to use in created branches. For example: - . See official docs for more. |
DEPENDABOT_REJECT_EXTERNAL_CODE | Optional. Determines if the execution external code is allowed. Defaults to false . |
DEPENDABOT_FAIL_ON_EXCEPTION | Optional. Determines if the execution should fail when an exception occurs. Defaults to true . |
DEPENDABOT_SECURITY_ADVISORIES_FILE | Optional. The absolute file path containing security advisories in JSON format. For example: /mnt/security_advisories/nuget-2022-12-13.json |
DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK | Optional. Exclude certain dependency updates requirements. See list of allowed values here. Useful if you have lots of dependencies and the update script too slow. The values provided are space-separated. Example: own all to only use the none version requirement. |
DEPENDABOT_MILESTONE | Optional. The identifier of the work item to be linked to the Pull Requests that dependabot creates. |
DEPENDABOT_UPDATER_OPTIONS | Optional. Comma separated list of updater options; available options depend on PACKAGE_MANAGER. Example: goprivate=true,kubernetes_updates=true . |
DEPENDABOT_SKIP_PULL_REQUESTS | Optional. Determines whether to skip creation and updating of pull requests. When set to true the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to false . |
DEPENDABOT_AUTHOR_EMAIL | Optional. The email address to use for the change commit author, can be used e.g. in private Azure DevOps Server deployments to associate the committer with an existing account, to provide a profile picture. |
DEPENDABOT_AUTHOR_NAME | Optional. The display name to use for the change commit author. |
AZURE_PROTOCOL | Optional. The transport protocol (http or https ) used by your Azure DevOps installation. Defaults to https . |
AZURE_HOSTNAME | Optional. The hostname of the where the organization is hosted. Defaults to dev.azure.com but for older organizations this may have the format xxx.visualstudio.com . Check the url on the browser. For Azure DevOps Server, this may be the unexposed one e.g. localhost or one that you have exposed publicly via DNS. |
AZURE_PORT | Optional. The TCP port used by your Azure DevOps installation. Defaults to 80 or 443 , depending on the indicated protocol. |
AZURE_VIRTUAL_DIRECTORY | Optional. Some Azure DevOps Server installations are hosted in an IIS virtual directory, traditionally named tfs. This variable can be used to define the name of that virtual directory. By default, this is not set. |
AZURE_ACCESS_USERNAME | Optional. This Variable can be used together with the User Password in the Access Token Variable to use basic Auth when connecting to Azure Dev Ops. By default, this is not set. |
AZURE_ACCESS_TOKEN | Required. The Personal Access in Azure DevOps for accessing the repository and creating pull requests. The required permissions are: - Code (Full) - Pull Requests Threads (Read & Write). See the documentation to know more about creating a Personal Access Token |
AZURE_ORGANIZATION | Required. The name of the Azure DevOps Organization. This is can be extracted from the URL of the home page. https://dev.azure.com/{organization}/ |
AZURE_PROJECT | Required. The name of the Azure DevOps Project within the above organization. This can be extracted them the URL too. https://dev.azure.com/{organization}/{project}/ |
AZURE_REPOSITORY | Required. The name of the Azure DevOps Repository within the above project to run Dependabot against. This can be extracted from the URL of the repository. https://dev.azure.com/{organization}/{project}/_git/{repository}/ |
AZURE_SET_AUTO_COMPLETE | Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true , pull requests that pass all policies will be merged automatically |
AZURE_AUTO_COMPLETE_IGNORE_CONFIG_IDS | Optional. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies. |
AZURE_AUTO_APPROVE_PR | Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true , pull requests will be approved automatically. |
AZURE_AUTO_APPROVE_USER_TOKEN | Optional. A personal access token for the user to automatically approve the created PR. AZURE_AUTO_APPROVE_PR must be set to true for this to work. |