This repository contains tools for updating dependencies in Azure DevOps repositories using Dependabot.
In this repository you'll find:
Warning
It is strongly recommended that you complete (or abandon) all active pull requests created by the same user that were created manually or using earlier versions of the task.
Dependabot for Azure DevOps must be explicitly configured to run in your organisation; creating a dependabot.yml file alone is not enough to enable updates. There are two ways to enable Dependabot, using:
Azure DevOps Extension - Ideal if you want to get Dependabot running with minimal administrative effort. The extension can run directly inside your existing pipeline agents and doesn't require hosting of any additional services. Because the extension runs in pipelines, this option does not scale well if you have a large number of projects and repositories.
Example:trigger: none # Disable CI trigger
schedules:
- cron: '0 0 * * 0' # weekly on sunday at midnight UTC
always: true # run even when there are no code changes
branches:
include:
- master
batch: true
displayName: Weekly
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
# Uncomment the lines below to have secrets protected in the logs
# variables:
# System.Secrets: true
steps:
- task: dependabot@2
inputs:
mergeStrategy: 'squash'
See task requirements and task parameters for more information.
You can also read guides written by others:
Using a configuration fileIf you have written a good piece, you can share it then we can add it here.
Similar to the GitHub-hosted version, Dependabot is configured using a dependabot.yml file located at .azuredevops/dependabot.yml or .github/dependabot.yml in your repository.
Most official configuration options are supported; See unsupported features and configurations for more details.
Configuring private feeds and registriesBesides accessing the repository, sometimes private feeds/registries may need to be accessed. For example a private NuGet feed or a company internal docker registry.
Private registries are configured in dependabot.yml, refer to the official documentation.
version: 2
registries:
# Azure DevOps private feed, all views
my-analyzers:
type: nuget-feed
url: https://dev.azure.com/organization2/_packaging/my-analyzers/nuget/v3/index.json
token: PAT:${{ MY_DEPENDABOT_ADO_PAT }}
# Azure DevOps private feed, "Release" view only
my-Extern@Release:
type: nuget-feed
url: https://dev.azure.com/organization1/_packaging/my-Extern@Release/nuget/v3/index.json
token: PAT:${{ MY_DEPENDABOT_ADO_PAT }}
# Artifactory private feed using PAT
artifactory:
type: nuget-feed
url: https://artifactory.com/api/nuget/v3/myfeed
token: PAT:${{ MY_DEPENDABOT_ARTIFACTORY_PAT }}
# Other private feed using basic auth (username/password)
telerik:
type: nuget-feed
url: https://nuget.telerik.com/v3/index.json
username: ${{ MY_TELERIK_USERNAME }}
password: ${{ MY_TELERIK_PASSWORD }}
token: ${{ MY_TELERIK_USERNAME }}:${{ MY_TELERIK_PASSWORD }}
updates:
# ...
Note when using authentication secrets in configuration files:
Important
The ${{ VARIABLE_NAME }} notation is used liked described here BUT the values will be used from pipeline environment variables. Template variables are not supported for this replacement. Replacement only works for values considered secret in the registries section i.e. username, password, token, and key
When using an Azure DevOps Artifact feed, the token format must be PAT:${{ VARIABLE_NAME }} where VARIABLE_NAME is a pipeline/environment variable containing the PAT token. The PAT must:
Packaging (Read) permission.Contributor permissions the [{project_name}]\Contributors group under the Feed Settings -> Permissions page. The page has the url format: https://dev.azure.com/{organization}/{project}/_packaging?_a=settings&feed={feed-name}&view=permissions.Security-only updates (i.e. open-pull-requests-limit: 0) is a mechanism to only create pull requests for dependencies with vulnerabilities by updating them to the earliest available non-vulnerable version. Security updates are supported in the same way as the GitHub-hosted version provided that a GitHub access token with public_repo access is provided in the gitHubAccessToken or gitHubConnection task inputs.
Security-only updates incur a slight performance overhead due to limitations in Dependabot CLI, detailed in dependabot/cli#360. To work around this, vulnerable dependencies will first be discovered using an "ignore everything" update job; After which, security advisories for the discovered dependencies will be checked against the GitHub Advisory Database before finally performing the requested security-only update job.
You can provide extra security advisories, such as those for an internal dependency, in a JSON file via the securityAdvisoriesFile task input e.g. securityAdvisoriesFile: '$(Pipeline.Workspace)/advisories.json'. An example file is available in ./advisories-example.json.
Dependabot uses an internal feature flag system called "experiments". Typically, experiments represent new features or changes in logic which are still being internally tested before becoming generally available. In some cases, you may want to opt-in to experiments to work around known issues or to opt-in to preview features ahead of general availability (GA).
Experiments vary depending on the package ecosystem used; They can be enabled using the experiments task input with a comma-separated list of key/value pairs representing the experiments e.g. experiments: 'tidy=true,vendor=true,goprivate=*'.
By default, the enabled experiments will mirror the GitHub-hosted version of Dependabot, which can be found here. Specifying experiments in the task input parameters will override all defaults.
Note
Dependabot experiment names are not [publicly] documented and these may be out-of-date at the time of reading. To find the latest list of experiments, search the dependabot-core GitHub repository using queries like "enabled?(x)" and "options.fetch(x)".
Dependabot supports assignees. However, Azure DevOps does not have the concept of pull request assignees. To work around this assignees are treated as required pull request reviewers.
The following values can be used as assignees:
We aim to support all official configuration options, but there are some limitations:
schedule is ignored, use pipeline scheduled triggers instead.No longer functional.
cooldown is not supported.directories are not supported.groups are not supported.assignees must be a list of user GUIDs; email addresses and group/team names are not supported.👋 Want to give us feedback on Dependabot for Azure DevOps, or contribute to it? That's great - thank you so much!
Reporting issues and feature requestsPlease leave all issues, bugs, and feature requests on the issues page. We'll respond ASAP! Use the discussions page for all other questions and comments.
Please refer to the contributing guidelines for more information on how to get started.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4