Skip to content

Dependabot#

Official Dependabot Docs

Dependabot is a tool to "monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date."

By default, dependabot scans your repository's default branch (e.g. main). This can be overridden with target-branch.

Dependabot is configured to run by creating a dependabot.yml in your .github/ directory

Notes around configuring your dependabot.yml file can be found here

Here is an example of a very basic ruby bundler dependabot configuration. It looks for updates every day looking at the root directory for the package manifest:

Text Only
version: 2
updates:
  - package-ecosystem: 'bundler'
    directory: '/'
    schedule:
      interval: 'daily'
    labels:
      - "dependencies"

Run Dependabot on self-hosted runners#

Dependabot normally runs in "Github Hosted" space on their Action runners; for most workflows this is fine. If there is a need to access a resource on-prem or from a known IP-Address (firewall for example) dependabot can be run on a self-hosted runner, such as the ones Devex provides.

To enable this there are 2 steps:

  • Enable for Org: navigate to your Orgs Settings > Security > Code Security > Global Settings (https://github.com/organizations/ORG/settings/security_analysis) and check to box for Dependabot on self-hosted runners
  • img
  • Enable for a Repository: Navigate to the similar location for the repository Settings > Security > Code Security find Dependabot on self-hosted runners and Enable it.
  • img2

Dependabot and artifactory.umn.edu#

In order to point to artifacts hosted on the University's on-prem Artifactory appliance, you need to configure your org to leverage self-hosted runners (as explained above); if you use Actions runners (hosted on github.com), you may receive errors saying Cannot read TLS response from mitm'd server and connect: connection timed out

If your artifacts are in public registries/repositories, there is no need to register artifactory.umn.edu or use special secrets.

Keeping Actions up to date#

If you plan to use Github Actions for builds, tests, or deployments, dependabot can keep the Actions you are running up to date as well.

Text Only
  - package-ecosystem: "github-actions"
    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
    directory: "/"
    schedule:
      interval: "weekly"

More information on automating dependabot using actions can be found here.