GitHub dependabot

Estimated time to read: 4 minutes

The Dependabot for your GitHub repository. Dependabot is a tool that automatically monitors your project's dependencies and creates pull requests to update them when new versions are available.

Here's how to set up and configure Dependabot for your GitHub repository:

  1. Create a configuration file:

In your GitHub repository, create a new directory named .github, and inside that directory, create another directory named dependabot. In the dependabot directory, create a new file named dependabot.yml. This file will define your Dependabot configuration using YAML syntax.

  1. Configure Dependabot:

Edit the dependabot.yml file to define your Dependabot configuration. A basic configuration consists of the following elements:

  • version: The configuration version. For the current version, use 2.

  • updates: A list of update configurations that specify how Dependabot should update your dependencies.

Each update configuration should include the following attributes:

  • package-ecosystem: The package ecosystem for the dependencies you want to update (e.g., "npm", "pip", "bundler", "maven", etc.).

  • directory: The directory in your repository where the dependencies are defined.

  • schedule: The schedule for Dependabot to check for updates. This typically includes an interval (e.g., "daily", "weekly", "monthly").

Here's an example of a simple Dependabot configuration that checks for updates to npm dependencies in the root directory daily:

YAML
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
  1. Commit and push the configuration file:

Commit the .github/dependabot/dependabot.yml file to your repository and push it to GitHub. Dependabot will now automatically monitor your specified dependencies and create pull requests when updates are available.

  1. Customize your configuration:

You can customize your Dependabot configuration by adding additional options, such as versioning-strategy, ignore, and labels. For example:

YAML
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    versioning-strategy: "lockfile-only"
    ignore:
      - dependency-name: "express"
        versions: ["4.x"]
    labels:
      - "dependencies"
      - "automerge"

In this example, Dependabot will only update the lockfile (package-lock.json) without changing the package.json, ignore updates for the "express" dependency with version 4.x, and add "dependencies" and "automerge" labels to the generated pull requests.

For more information on configuring Dependabot and the available options, refer to the official documentation: https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates

By following these steps, you can set up and configure Dependabot for your GitHub repository to automatically monitor and update your project's dependencies.

Bonus!

Furtermore you can integrate GitHub Actions with Dependabot to automatically run tests whenever Dependabot creates a pull request to update your dependencies. This way, you can ensure that your code still works as expected after the updates.

Here's an example of how to set up a GitHub Actions workflow to run tests on a Node.js project when a Dependabot pull request is created:

  1. Create a GitHub Actions workflow file:

In your repository, create a new directory named .github, and inside that directory, create another directory named workflows if it doesn't already exist. In the workflows directory, create a new file named dependabot_tests.yml.

  1. Configure the GitHub Actions workflow:

Edit the dependabot_tests.yml file to define your GitHub Actions workflow. Here's an example of a simple workflow that runs tests on a Node.js project using npm:

YAML
name: Dependabot Tests

on:
  pull_request:
    branches:
      - main
    paths-ignore:
      - '**.md'
    types:
      - opened
      - synchronize
      - reopened

jobs:
  test:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: 14

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm test

In this example, the workflow is triggered whenever a pull request is opened, synchronized (i.e., new commits are pushed), or reopened, but only if the pull request is created by Dependabot. The workflow then checks out your code, sets up Node.js, installs your dependencies, and runs your tests using npm test.

  1. Commit and push the workflow file:

Commit the .github/workflows/dependabot_tests.yml file to your repository and push it to GitHub. Now, whenever Dependabot creates a pull request to update your dependencies, the GitHub Actions workflow will automatically run tests to ensure that your code still works as expected.

You can adapt this example to other programming languages and build systems by changing the steps in the jobs.test.steps section. For instance, if you're using Python and pip, you can set up the environment, install dependencies, and run tests using a similar workflow:

YAML
jobs:
  test:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: 3.8

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt

      - name: Run tests
        run: pytest

By following these steps, you can set up a GitHub Actions workflow to automatically test your code after Dependabot updates your project's dependencies.