Categories
DevOps

Start using GitHub Dependabot

GitHub bought a service called Dependabot a while back and is now integrating this service as a GitHub Application into the ecosystem. This allows GitHub users to automatically do dependency management and get alerted when a security-related update has been found. For now, his service is still in beta but can be added to all service plans.

Let start simple and creating .github/dependabot.yml with the content below will tell Dependabot to scan all your GitHub workflows daily for GitHub Actions that are defined and have a newer release available. It will also create a pull-request that can be merged when approved.

---
version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10

A daily scan seems to be fine and is only limited to 10 open pull requests, but if you have many repositories to maintain, then this task can become daunting. Luckily Dependabot is aware of pull-requests that are still open and will update them if a new dependency update is found. Then still just going for a weekly or even monthly scan can be a better fit for your workflow. The example below runs every Friday and gives you an idea of what your work for the next week will be.

---
version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

Dependabot can maintain dependencies for many ecosystems and the example below is one I use for my development containers in VSCode and GitHub CodeSpaces. It scans for Dockerfile to see if the base image is outdated, and it also scans Python dependencies for any know updates.

---
version: 2
updates:
  - package-ecosystem: docker
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
      day: friday
    open-pull-requests-limit: 10

These examples are only a small introduction to using Dependabot and many more options and package ecosystems are available. But for most people, this is enough to get started before thinking about a complex Semantic Versioning oriented updating strategy.

Categories
Software Development

Monitoring GitHub for new releases

Big sites like GitHub or GitLab are hosting a lot of projects and have numerous of releases a day. And while you as a person can watch a repository on GitHub, you can’t filter out new releases easily. At least not easily findable in the interfaces and checking all the repositories manually because they aren’t part of a build process is too much hassle and will fail in the end. So also for me with highlight.js as it has been updated from version 9.11.0 to 9.12.0 months ago.

Looking at some solutions people were writing about on StackOverflow for example was to parse the HTML and use that as a basis for actions to be executed. A quick check and grep of the output shown that we only have links to releases, but no structured data we can easily parse.

$ curl -s https://github.com/isagalaev/highlight.js/releases | grep -i releases\/tag
    <a href="/isagalaev/highlight.js/releases/tag/9.12.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.11.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.10.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.9.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.8.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.7.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.6.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.5.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.4.0">
    <a href="/isagalaev/highlight.js/releases/tag/9.3.0">

If we take the same URL and add the extension .atom to it, then GitHub presents the same data in a consumable feed format. Now we have structured data with timestamps, URLs, and descriptions.

$ curl -s https://github.com/isagalaev/highlight.js/releases.atom
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/" xml:lang="en-US">
  <id>tag:github.com,2008:https://github.com/isagalaev/highlight.js/releases</id>
  <link type="text/html" rel="alternate" href="https://github.com/isagalaev/highlight.js/releases"/>
  <link type="application/atom+xml" rel="self" href="https://github.com/isagalaev/highlight.js/releases.atom"/>
  <title>Release notes from highlight.js</title>
  <updated>2017-05-31T02:46:46Z</updated>
  <entry>
    <id>tag:github.com,2008:Repository/1213225/9.12.0</id>
    <updated>2017-05-31T02:46:46Z</updated>
    <link rel="alternate" type="text/html" href="/isagalaev/highlight.js/releases/tag/9.12.0"/>
    <title>9.12.0</title>
    <content type="html"><p>Version 9.12.0</p></content>
    <author>
      <name>isagalaev</name>
    </author>
    <media:thumbnail height="30" width="30" url="https://avatars2.githubusercontent.com/u/99931?v=4&s=60"/>
  </entry>
...

This data can be used by a custom parser or RSS-readers like TT-RSS, but also used by platforms like IFTTT to trigger actions like adding it to a backlog or posting it to a Slack-channel.