Skip to content

Latest commit

 

History

History
140 lines (129 loc) · 13.5 KB

updater.md

File metadata and controls

140 lines (129 loc) · 13.5 KB

Running the updater

First, you need to pull the docker image locally to your machine:

docker pull ghcr.io/tinglesoftware/dependabot-updater-<ecosystem>

Next create and run a container from the image:

docker run --rm -t \
           -e GITHUB_ACCESS_TOKEN=<your-github-token-here> \
           -e DEPENDABOT_PACKAGE_MANAGER=<your-package-manager-here> \
           -e DEPENDABOT_DIRECTORY=/ \
           -e DEPENDABOT_TARGET_BRANCH=<your-target-branch> \
           -e DEPENDABOT_VERSIONING_STRATEGY=<your-versioning-strategy> \
           -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
           -e DEPENDABOT_EXTRA_CREDENTIALS=<your-extra-credentials> \
           -e DEPENDABOT_ALLOW_CONDITIONS=<your-allowed-packages> \
           -e DEPENDABOT_IGNORE_CONDITIONS=<your-ignored-packages> \
           -e DEPENDABOT_COMMIT_MESSAGE_OPTIONS=<your-commit-message-options> \
           -e DEPENDABOT_BRANCH_NAME_SEPARATOR=<your-custom-separator> \
           -e DEPENDABOT_MILESTONE=<your-work-item-id> \
           -e DEPENDABOT_UPDATER_OPTIONS=<your-updater-options> \
           -e AZURE_PROTOCOL=<your-azure-devops-installation-transport-protocol> \
           -e AZURE_HOSTNAME=<your-azure-devops-installation-hostname> \
           -e AZURE_PORT=<your-azure-devops-installation-port> \
           -e AZURE_VIRTUAL_DIRECTORY=<your-azure-devops-installation-virtual-directory> \
           -e AZURE_ACCESS_TOKEN=<your-devops-token-here> \
           -e AZURE_ORGANIZATION=<your-organization-here> \
           -e AZURE_PROJECT=<your-project-here> \
           -e AZURE_REPOSITORY=<your-repository-here> \
           -e AZURE_SET_AUTO_COMPLETE=<true/false> \
           -e AZURE_AUTO_APPROVE_PR=<true/false> \
           -e AZURE_AUTO_APPROVE_USER_TOKEN=<approving-user-token-here> \
           ghcr.io/tinglesoftware/dependabot-updater-<ecosystem> update_script

An example, for Azure DevOps Services:

docker run --rm -t \
           -e GITHUB_ACCESS_TOKEN=ijkl..mnop \
           -e DEPENDABOT_PACKAGE_MANAGER=nuget \
           -e DEPENDABOT_DIRECTORY=/ \
           -e DEPENDABOT_TARGET_BRANCH=main \
           -e DEPENDABOT_VERSIONING_STRATEGY=auto \
           -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
           -e DEPENDABOT_EXTRA_CREDENTIALS='[{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}]' \
           -e DEPENDABOT_ALLOW_CONDITIONS='[{"dependency-name":"django*","dependency-type":"direct"}]' \
           -e DEPENDABOT_IGNORE_CONDITIONS='[{"dependency-name":"@types/*"}]' \
           -e DEPENDABOT_COMMIT_MESSAGE_OPTIONS='{"prefix":"(dependabot)"}' \
           -e DEPENDABOT_BRANCH_NAME_SEPARATOR='/' \
           -e DEPENDABOT_MILESTONE=123 \
           -e DEPENDABOT_UPDATER_OPTIONS='goprivate=true,kubernetes_updates=true' \
           -e AZURE_HOSTNAME=dev.azure.com \
           -e AZURE_ACCESS_TOKEN=abcd..efgh \
           -e AZURE_ORGANIZATION=tinglesoftware \
           -e AZURE_PROJECT=oss \
           -e AZURE_REPOSITORY=repro-411 \
           -e AZURE_SET_AUTO_COMPLETE=true \
           -e AZURE_AUTO_APPROVE_PR=true \
           -e AZURE_AUTO_APPROVE_USER_TOKEN=ijkl..mnop \
           ghcr.io/tinglesoftware/dependabot-updater-nuget update_script

An example, for Azure DevOps Server:

docker run --rm -t \
           -e GITHUB_ACCESS_TOKEN=ijkl..mnop \
           -e DEPENDABOT_PACKAGE_MANAGER=nuget \
           -e DEPENDABOT_DIRECTORY=/ \
           -e DEPENDABOT_TARGET_BRANCH=main \
           -e DEPENDABOT_VERSIONING_STRATEGY=auto \
           -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
           -e DEPENDABOT_EXTRA_CREDENTIALS='[{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}]' \
           -e DEPENDABOT_ALLOW_CONDITIONS='[{"dependency-name":"django*","dependency-type":"direct"}]' \
           -e DEPENDABOT_IGNORE_CONDITIONS='[{"dependency-name":"@types/*"}]' \
           -e DEPENDABOT_COMMIT_MESSAGE_OPTIONS='{"prefix":"(dependabot)"}' \
           -e DEPENDABOT_BRANCH_NAME_SEPARATOR='/' \
           -e DEPENDABOT_MILESTONE=123 \
           -e DEPENDABOT_UPDATER_OPTIONS='goprivate=true,kubernetes_updates=true' \
           -e AZURE_PROTOCOL=http \
           -e AZURE_HOSTNAME=my-devops.com \
           -e AZURE_PORT=8080 \
           -e AZURE_VIRTUAL_DIRECTORY=tfs \
           -e AZURE_ACCESS_TOKEN=abcd..efgh \
           -e AZURE_ORGANIZATION=tinglesoftware \
           -e AZURE_PROJECT=oss \
           -e AZURE_REPOSITORY=repro-411 \
           -e AZURE_SET_AUTO_COMPLETE=true \
           -e AZURE_AUTO_APPROVE_PR=true \
           -e AZURE_AUTO_APPROVE_USER_TOKEN=ijkl..mnop \
           ghcr.io/tinglesoftware/dependabot-updater-nuget update_script

Environment Variables

To run the script, some environment variables are required.

Variable Name Description
GITHUB_ACCESS_TOKEN Optional. The GitHub token (classic) for authenticating requests against GitHub public repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the documentation for more on Personal Access Tokens.
DEPENDABOT_PACKAGE_MANAGER Required. The type of packages to check for dependency upgrades. Examples: nuget, maven, gradle, npm_and_yarn, etc. See the updated-script or docs for more.
DEPENDABOT_DIRECTORY Optional. The directory in which dependencies are to be checked. When not specified, the root of the repository (denoted as '/') is used.
DEPENDABOT_TARGET_BRANCH Optional. The branch to be targeted when creating a pull request. When not specified, Dependabot will resolve the default branch of the repository.
DEPENDABOT_VERSIONING_STRATEGY Optional. The versioning strategy to use. See official docs for the allowed values
DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT Optional. The maximum number of open pull requests to have at any one time. Defaults to 5. Setting to 0 implies security only updates.
DEPENDABOT_EXTRA_CREDENTIALS Optional. The extra credentials in JSON format. Extra credentials can be used to access private NuGet feeds, docker registries, maven repositories, etc. For example a private registry authentication (For example FontAwesome Pro: [{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}])
DEPENDABOT_ALLOW_CONDITIONS Optional. The dependencies whose updates are allowed, in JSON format. This can be used to control which packages can be updated. For example: [{\"dependency-name\":"django*",\"dependency-type\":\"direct\"}]. See official docs for more.
DEPENDABOT_IGNORE_CONDITIONS Optional. The dependencies to be ignored, in JSON format. This can be used to control which packages can be updated. For example: [{\"dependency-name\":\"express\",\"versions\":[\"4.x\",\"5.x\"]}]. See official docs for more.
DEPENDABOT_COMMIT_MESSAGE_OPTIONS Optional. The commit message options, in JSON format. For example: {\"prefix\":\"(dependabot)\"}. See official docs for more.
DEPENDABOT_LABELS Optional. The custom labels to be used, in JSON format. This can be used to override the default values. For example: [\"npm dependencies\",\"triage-board\"]. See official docs for more.
DEPENDABOT_REVIEWERS Optional. The identifiers of the users to review the pull requests, in JSON format. These shall be added as optional approvers. For example: [\"23d9f23d-981e-4a0c-a975-8e5c665914ec\",\"62b67ef1-58e9-4be9-83d3-690a6fc67d6b\"].
DEPENDABOT_ASSIGNEES Optional. The identifiers of the users to be assigned to the pull requests, in JSON format. These shall be added as required approvers. For example: [\"be9321e2-f404-4ffa-8d6b-44efddb04865\"].
DEPENDABOT_BRANCH_NAME_SEPARATOR Optional. The separator to use in created branches. For example: -. See official docs for more.
DEPENDABOT_REJECT_EXTERNAL_CODE Optional. Determines if the execution external code is allowed. Defaults to false.
DEPENDABOT_FAIL_ON_EXCEPTION Optional. Determines if the execution should fail when an exception occurs. Defaults to true.
DEPENDABOT_SECURITY_ADVISORIES_FILE Optional. The absolute file path containing security advisories in JSON format. For example: /mnt/security_advisories/nuget-2022-12-13.json
DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK Optional. Exclude certain dependency updates requirements. See list of allowed values here. Useful if you have lots of dependencies and the update script too slow. The values provided are space-separated. Example: own all to only use the none version requirement.
DEPENDABOT_MILESTONE Optional. The identifier of the work item to be linked to the Pull Requests that dependabot creates.
DEPENDABOT_UPDATER_OPTIONS Optional. Comma separated list of updater options; available options depend on PACKAGE_MANAGER. Example: goprivate=true,kubernetes_updates=true.
DEPENDABOT_SKIP_PULL_REQUESTS Optional. Determines whether to skip creation and updating of pull requests. When set to true the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to false.
DEPENDABOT_AUTHOR_EMAIL Optional. The email address to use for the change commit author, can be used e.g. in private Azure DevOps Server deployments to associate the committer with an existing account, to provide a profile picture.
DEPENDABOT_AUTHOR_NAME Optional. The display name to use for the change commit author.
AZURE_PROTOCOL Optional. The transport protocol (http or https) used by your Azure DevOps installation. Defaults to https.
AZURE_HOSTNAME Optional. The hostname of the where the organization is hosted. Defaults to dev.azure.com but for older organizations this may have the format xxx.visualstudio.com. Check the url on the browser. For Azure DevOps Server, this may be the unexposed one e.g. localhost or one that you have exposed publicly via DNS.
AZURE_PORT Optional. The TCP port used by your Azure DevOps installation. Defaults to 80 or 443, depending on the indicated protocol.
AZURE_VIRTUAL_DIRECTORY Optional. Some Azure DevOps Server installations are hosted in an IIS virtual directory, traditionally named tfs. This variable can be used to define the name of that virtual directory. By default, this is not set.
AZURE_ACCESS_USERNAME Optional. This Variable can be used together with the User Password in the Access Token Variable to use basic Auth when connecting to Azure Dev Ops. By default, this is not set.
AZURE_ACCESS_TOKEN Required. The Personal Access in Azure DevOps for accessing the repository and creating pull requests. The required permissions are:
- Code (Full)
- Pull Requests Threads (Read & Write).
See the documentation to know more about creating a Personal Access Token
AZURE_ORGANIZATION Required. The name of the Azure DevOps Organization. This is can be extracted from the URL of the home page. https://dev.azure.com/{organization}/
AZURE_PROJECT Required. The name of the Azure DevOps Project within the above organization. This can be extracted them the URL too. https://dev.azure.com/{organization}/{project}/
AZURE_REPOSITORY Required. The name of the Azure DevOps Repository within the above project to run Dependabot against. This can be extracted from the URL of the repository. https://dev.azure.com/{organization}/{project}/_git/{repository}/
AZURE_SET_AUTO_COMPLETE Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true, pull requests that pass all policies will be merged automatically
AZURE_AUTO_COMPLETE_IGNORE_CONFIG_IDS Optional. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.
AZURE_AUTO_APPROVE_PR Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true, pull requests will be approved automatically.
AZURE_AUTO_APPROVE_USER_TOKEN Optional. A personal access token for the user to automatically approve the created PR. AZURE_AUTO_APPROVE_PR must be set to true for this to work.