Categories
DevOps

Start using GitHub Dependabot

GitHub bought a service called Dependabot a while back and is now integrating this service as a GitHub Application into the ecosystem. This allows GitHub users to automatically do dependency management and get alerted when a security-related update has been found. For now, his service is still in beta but can be added to all service plans.

Let start simple and creating .github/dependabot.yml with the content below will tell Dependabot to scan all your GitHub workflows daily for GitHub Actions that are defined and have a newer release available. It will also create a pull-request that can be merged when approved.

---
version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10

A daily scan seems to be fine and is only limited to 10 open pull requests, but if you have many repositories to maintain, then this task can become daunting. Luckily Dependabot is aware of pull-requests that are still open and will update them if a new dependency update is found. Then still just going for a weekly or even monthly scan can be a better fit for your workflow. The example below runs every Friday and gives you an idea of what your work for the next week will be.

---
version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

Dependabot can maintain dependencies for many ecosystems and the example below is one I use for my development containers in VSCode and GitHub CodeSpaces. It scans for Dockerfile to see if the base image is outdated, and it also scans Python dependencies for any know updates.

---
version: 2
updates:
  - package-ecosystem: docker
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

These examples are only a small introduction to using Dependabot and many more options and package ecosystems are available. But for most people, this is enough to get started before thinking about a complex Semantic Versioning oriented updating strategy.

By Hans Spaans

Unix & security consultant with a passion for Linux, Solaris, PostgreSQL, Perl and network services, but also a strong believer in open and free source, standards and content.

Leave a Reply

Your email address will not be published. Required fields are marked *