Skip to content

Latest commit

 

History

History

extension

Dependabot Azure DevOps Extension

This is the unofficial dependabot extension for Azure DevOps. It will allow you to run Dependabot inside a build pipeline.

Usage

Add a configuration file stored at .azuredevops/dependabot.yml or .github/dependabot.yml conforming to the official spec.

To use in a YAML pipeline:

- task: dependabot@2

You can schedule the pipeline as is appropriate for your solution.

An example of a YAML pipeline:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
  batch: true
  displayName: Daily

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@2

Task Requirements

The task uses dependabot-cli, which requires Go (1.22+) and Docker (with Linux containers) be installed on the pipeline agent. If you use Microsoft-hosted agents, we recommend using the ubuntu-latest image, which meets all task requirements.

Dependabot uses Docker containers, which may take time to install if not already cached. Subsequent dependabot tasks in the same job will be faster after initially pulling the images. An alternative way to run your pipelines faster is by leveraging Docker caching in Azure Pipelines (See #113).

Task Parameters

dependabot@V2
Input Description
skipPullRequests Optional. Determines whether to skip creation and updating of pull requests. When set to true the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to false.
abandonUnwantedPullRequests Optional. Determines whether to abandon unwanted pull requests. Defaults to false.
commentPullRequests Optional. Determines whether to comment on pull requests which an explanation of the reason for closing. Defaults to false.
setAutoComplete Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true, pull requests that pass all policies will be merged automatically. Defaults to false.
mergeStrategy Optional. The merge strategy to use when auto complete is set. Learn more here. Defaults to squash.
autoCompleteIgnoreConfigIds Optional. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.
autoApprove Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true, pull requests will be approved automatically. To use a different user for approval, supply autoApproveUserToken input. Defaults to false. Requires Azure DevOps REST API 7.1.
autoApproveUserToken Optional. A personal access token for the user to automatically approve the created PR.
authorEmail Optional. The email address to use for the change commit author. Can be used to associate the committer with an existing account, to provide a profile picture. Defaults to [email protected].
authorName Optional. The name to use as the git commit author of the pull requests. Defaults to dependabot[bot].
securityAdvisoriesFile Optional. The path to a JSON file containing additional security advisories to be included when performing package updates. See: Configuring security advisories and known vulnerabilities.
azureDevOpsServiceConnection Optional. A Service Connection to use for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used.
See the documentation to know more about creating a Service Connections
azureDevOpsAccessToken Optional. The Personal Access Token for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used. In either case, be use the following permissions are granted:
- Code (Full)
- Pull Requests Threads (Read & Write).
See the documentation to know more about creating a Personal Access Token.
Use this in place of azureDevOpsServiceConnection such as when it is not possible to create a service connection.
gitHubConnection Optional. The GitHub service connection for authenticating requests against GitHub repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the GitHub docs for more on Personal Access Tokens and Azure DevOps docs for the GitHub service connection.
gitHubAccessToken Optional. The raw GitHub PAT for authenticating requests against GitHub repositories. Use this in place of gitHubConnection such as when it is not possible to create a service connection.
storeDependencyList Optional. Determines if the last know dependency list information should be stored in the parent DevOps project properties. If enabled, the authenticated user must have the "Project & Team (Write)" permission for the project. Enabling this option improves performance when doing security-only updates. Defaults to false.
targetRepositoryName Optional. The name of the repository to target for processing. If this value is not supplied then the Build Repository Name is used. Supplying this value allows creation of a single pipeline that runs Dependabot against multiple repositories by running a dependabot task for each repository to update.
targetUpdateIds Optional. A semicolon (;) delimited list of update identifiers run. Index are zero-based and in the order written in the configuration file. When not present, all the updates are run. This is meant to be used in scenarios where you want to run updates a different times from the same configuration file given you cannot schedule them independently in the pipeline.
experiments Optional. Comma separated list of Dependabot experiments; available options depend on the ecosystem. Example: tidy=true,vendor=true,goprivate=*. See: Configuring experiments
dependabot@V1 (Deprecated)
Input Description
useUpdateScriptvNext Optional. Determines if the task should use the new "vNext" update script based on Dependabot Updater (true), or the original update script based on dry-run.rb (false). Defaults to false. For more information, see: PR #1186.
failOnException Optional. Determines if the execution should fail when an exception occurs. Defaults to true.
updaterOptions Optional. Comma separated list of updater options; available options depend on the ecosystem. Example: tidy=true,vendor=true,goprivate=*. See: Configuring experiments
setAutoComplete Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true, pull requests that pass all policies will be merged automatically. Defaults to false.
mergeStrategy Optional. The merge strategy to use when auto complete is set. Learn more here. Defaults to squash.
autoCompleteIgnoreConfigIds Optional. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.
autoApprove Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true, pull requests will be approved automatically. To use a different user for approval, supply autoApproveUserToken input. Defaults to false. Requires Azure DevOps REST API 7.1.
autoApproveUserToken Optional. A personal access token for the user to automatically approve the created PR.
skipPullRequests Optional. Determines whether to skip creation and updating of pull requests. When set to true the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to false.
abandonUnwantedPullRequests Optional. Determines whether to abandon unwanted pull requests. Defaults to false.
commentPullRequests Optional. Determines whether to comment on pull requests which an explanation of the reason for closing. Defaults to false.
securityAdvisoriesFile Optional. The path to a JSON file containing additional security advisories to be included when performing package updates. See: Configuring security advisories and known vulnerabilities.
gitHubConnection Optional. The GitHub service connection for authenticating requests against GitHub repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the GitHub docs for more on Personal Access Tokens and Azure DevOps docs for the GitHub service connection.
gitHubAccessToken Optional. The raw GitHub PAT for authenticating requests against GitHub repositories. Use this in place of gitHubConnection such as when it is not possible to create a service connection.
azureDevOpsServiceConnection Optional. A Service Connection to use for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used.
See the documentation to know more about creating a Service Connections
azureDevOpsAccessToken Optional. The Personal Access Token for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used. In either case, be use the following permissions are granted:
- Code (Full)
- Pull Requests Threads (Read & Write).
See the documentation to know more about creating a Personal Access Token.
Use this in place of azureDevOpsServiceConnection such as when it is not possible to create a service connection.
targetRepositoryName Optional. The name of the repository to target for processing. If this value is not supplied then the Build Repository Name is used. Supplying this value allows creation of a single pipeline that runs Dependabot against multiple repositories by running a dependabot task for each repository to update.
targetUpdateIds Optional. A semicolon (;) delimited list of update identifiers run. Index are zero-based and in the order written in the configuration file. When not present, all the updates are run. This is meant to be used in scenarios where you want to run updates a different times from the same configuration file given you cannot schedule them independently in the pipeline.
excludeRequirementsToUnlock Optional. Space-separated list of dependency updates requirements to be excluded. See list of allowed values here. Useful if you have lots of dependencies and the update script too slow. The values provided are space-separated. Example: own all to only use the none version requirement.
dockerImageTag Optional. The image tag to use when pulling the docker container used by the task. A tag also defines the version. By default, the task decides which tag/version to use. This can be the latest or most stable version. When not provided, the value is inferred from the current task version
extraEnvironmentVariables Optional. A semicolon (;) delimited list of environment variables that are sent to the docker container. See possible use case here

Advanced