Dependabot Azure DevOps (Paklo) Extension
This is the unofficial dependabot extension for Azure DevOps. It will allow you to run Dependabot inside a build pipeline.
[!WARNING]
It is strongly recommended that you complete (or abandon) all active pull requests created by the same user that were created manually or using earlier versions of the task.
Usage
Add a configuration file stored at .azuredevops/dependabot.yml or .github/dependabot.yml conforming to the official spec.
To use in a YAML pipeline:
- task: dependabot@2
You can schedule the pipeline as is appropriate for your solution.
An example of a YAML pipeline:
trigger: none # Disable CI trigger
schedules:
- cron: '0 0 * * 0' # weekly on sunday at midnight UTC
always: true # run even when there are no code changes
branches:
include:
- master
batch: true
displayName: Weekly
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
# Uncomment the lines below to have secrets protected in the logs
# variables:
# System.Secrets: true
steps:
- task: dependabot@2
inputs:
mergeStrategy: 'squash'
Task Requirements
The task requires Docker (with Linux containers) be installed on the pipeline agent.
If you use Microsoft-hosted agents, we recommend using the ubuntu-latest image, which meets all task requirements.
Dependabot uses Docker containers, which may take time to install if not already cached. Subsequent dependabot tasks in the same job will be faster after initially pulling the images. An alternative way to run your pipelines faster is by leveraging Docker caching in Azure Pipelines (See #113).
Task Parameters
| Input |
Description |
| dryRun |
Optional. Test logic without actually creating, updating or abandoning pull requests. When set to true the logic to update the dependencies is executed but the actual Pull Requests are not created/updated/abandoned. This is useful for debugging. Defaults to false. |
| setAutoComplete |
Optional. Determines if the pull requests that dependabot creates should have auto complete set. When set to true, pull requests that pass all policies will be merged automatically. Defaults to false. |
| mergeStrategy |
Optional. The merge strategy to use when auto complete is set. Learn more here. Defaults to squash. |
| autoCompleteIgnoreConfigIds |
Optional. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies. |
| autoApprove |
Optional. Determines if the pull requests that dependabot creates should be automatically completed. When set to true, pull requests will be approved automatically. To use a different user for approval, supply autoApproveUserToken input. Defaults to false. Requires Azure DevOps REST API 7.1. |
| autoApproveUserToken |
Optional. A personal access token for the user to automatically approve the created PR. |
| authorEmail |
Optional. The email address to use for the change commit author. Can be used to associate the committer with an existing account, to provide a profile picture. Defaults to noreply@github.com. |
| authorName |
Optional. The name to use as the git commit author of the pull requests. Defaults to dependabot[bot]. |
| azureDevOpsServiceConnection |
Optional. A Service Connection to use for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used.
See the documentation to know more about creating a Service Connections |
| azureDevOpsAccessToken |
Optional. The Personal Access Token for accessing Azure DevOps. Supply a value here to avoid using permissions for the Build Service either because you cannot change its permissions or because you prefer that the Pull Requests be done by a different user. When not provided, the current authentication scope is used. In either case, be use the following permissions are granted:
- Code (Full)
- Pull Requests Threads (Read & Write).
See the documentation to know more about creating a Personal Access Token.
Use this in place of azureDevOpsServiceConnection such as when it is not possible to create a service connection. |
| gitHubConnection |
Optional. The GitHub service connection for authenticating requests against GitHub repositories. This is useful to avoid rate limiting errors. The token must include permissions to read public repositories. See the GitHub docs for more on Personal Access Tokens and Azure DevOps docs for the GitHub service connection. |
| gitHubAccessToken |
Optional. The raw GitHub PAT for authenticating requests against GitHub repositories. Use this in place of gitHubConnection such as when it is not possible to create a service connection. |
| targetProjectName |
Optional. The Name/ID of the project to target for processing. If this value is not supplied then the Build Project ID is used. Supplying this value allows creation of a single pipeline that runs Dependabot against multiple projects in an organization by running a dependabot task for each project to update. This must be used together with targetRepositoryName. Ensure the PAT provided also has access to the project specified. |
| targetRepositoryName |
Optional. The name of the repository to target for processing. If this value is not supplied then the Build Repository Name is used. Supplying this value allows creation of a single pipeline that runs Dependabot against multiple repositories in a project by running a dependabot task for each repository to update. |
| targetUpdateIds |
Optional. A semicolon (;) delimited list of update identifiers run. Index are zero-based and in the order written in the configuration file. When not present, all the updates are run. This is meant to be used in scenarios where you want to run updates a different times from the same configuration file given you cannot schedule them independently in the pipeline. |
| dependabotCliApiListeningPort |
Optional. This set fixed listening port for of the dependabot cli using FAKE_API_PORT. It should match the dependabotCliApiUrl option |
| dependabotUpdaterImage |
Optional. The Dependabot CLI container image to use for updates. The image must contain a '{ecosystem}' placeholder, which will be substituted with the package ecosystem for each update operation. This is intended to be used in scenarios where 'latest' has issues and you want to pin a known working version, or use a custom package. Defaults to ghcr.io/dependabot/dependabot-updater-{ecosystem}:latest |
| experiments |
Optional. Comma separated list of Dependabot experiments; available options depend on the ecosystem. Example: tidy=true,vendor=true,goprivate=*. If specified, this overrides the default experiments. See: Configuring experiments |
The extension also includes DependabotFetchMetadata@1, a task for reading metadata from a pull request created by the main Dependabot task. It is intended to run inside a pull request validation pipeline.
steps:
- task: DependabotFetchMetadata@1
name: metadata
condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
- script: |
echo "Dependencies: $(metadata.dependencyNames)"
echo "Package ecosystem: $(metadata.packageEcosystem)"
echo "Update type: $(metadata.updateType)"
condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
The task requires System.PullRequest.PullRequestId, so it fails when it is not running in the context of a pull request. If the pipeline can also run for non-PR reasons, guard the task with eq(variables['Build.Reason'], 'PullRequest'). Authentication uses the current SystemVssConnection by default, or the optional azureDevOpsServiceConnection / azureDevOpsAccessToken inputs.
| Input |
Description |
| azureDevOpsServiceConnection |
Optional. A Service Connection to use for accessing Azure DevOps. Supply a value here to use a different identity from the current build service identity. |
| azureDevOpsAccessToken |
Optional. The Personal Access Token for accessing Azure DevOps. Use this in place of azureDevOpsServiceConnection such as when it is not possible to create a service connection. |
| Output |
Description |
| dependencyNames |
A comma-separated list of all package names updated. |
| dependencyType |
The dependency type, when known. |
| updateType |
The highest semver change being made by this PR, when known. |
| updatedDependenciesJson |
A JSON string containing information about each updated dependency. |
| directory |
The directory for the first updated dependency. |
| packageEcosystem |
The package ecosystem for this updated dependency. |
| targetBranch |
The pull request target branch. |
| previousVersion |
The previous version for the first updated dependency, when known. |
| newVersion |
The new version for the first updated dependency. |
| compatibilityScore |
The compatibility score, when known. |
| maintainerChanges |
Whether the pull request body contains Maintainer changes. |
| dependencyGroup |
The dependency group that the PR is associated with. |
| ghsaId |
The GHSA ID, when known. |
| cvss |
The CVSS value, when known. |
Some values are currently best-effort or unavailable from the persisted Azure metadata, including security advisory fields such as ghsaId and cvss. For older pull requests created before previous versions were persisted, previousVersion may be empty, updateType may be null, and compatibilityScore may be 0.
Advanced
For advanced configuration and detailed documentation, see the Azure DevOps Extension Documentation.
