This repository contains tools for updating dependencies in Azure DevOps repositories using Dependabot.
In this repository you'll find:
- Dependabot updater in Ruby. See docs.
- Dockerfile and build/image for running the updater via Docker here.
- Dependabot server in .NET/C#. See docs.
- Azure DevOps Extension and source. See docs.
The hosted version is available to sponsors (most, but not all). It includes hustle free runs where the infrastructure is maintained for you. Much like the GitHub hosted version. Alternatively, you can run and host your own server. Once you sponsor, you can send out an email to an maintainer or wait till they reach out. This is meant to ease the burden until GitHub/Azure/Microsoft can get it working natively (which could also be never) and hopefully for free.
Similar to the GitHub native version where you add a .azuredevops/dependabot.yml or .github/dependabot.yml file, this repository adds support for the same official configuration options via a file located at .azuredevops/dependabot.yml or .github/dependabot.yml. This support is only available in the Azure DevOps extension and the managed version. However, the extension does not currently support automatically picking up the file, a pipeline is still required. See docs.
We are well aware that ignore conditions are not explicitly passed and passed on from the extension/server to the container. It is intentional. The ruby script in the docker container does it automatically. If you are having issues, search for related issues such as tinglesoftware#582 before creating a new issue. You can also test against various reproductions such as https://dev.azure.com/tingle/dependabot/_git/repro-582
Besides accessing the repository only, sometimes private feeds/registries may need to be accessed. For example a private NuGet feed or a company internal docker registry.
Adding configuration options for private registries is setup in dependabot.yml
according to the dependabot description.
Example:
version: 2
registries:
my-Extern@Release:
type: nuget-feed
url: https://dev.azure.com/organization1/_packaging/my-Extern@Release/nuget/v3/index.json
token: PAT:${{MY_DEPENDABOT_ADO_PAT}}
my-analyzers:
type: nuget-feed
url: https://dev.azure.com/organization2/_packaging/my-analyzers/nuget/v3/index.json
token: PAT:${{MY_OTHER_PAT}}
artifactory:
type: nuget-feed
url: https://artifactory.com/api/nuget/v3/myfeed
token: PAT:${{MY_ARTIFACTORY_PAT}}
telerik:
type: nuget-feed
url: https://nuget.telerik.com/v3/index.json
username: ${{MY_TELERIK_USERNAME}}
password: ${{MY_TELERIK_PASSWORD}}
token: ${{MY_TELERIK_USERNAME}}:${{MY_TELERIK_PASSWORD}}
updates:
...Note:
-
${{VARIABLE_NAME}}notation is used liked described here BUT the values will be used from Environment Variables in the pipeline/environment. Template variables are not supported for this replacement. Replacement only works for values considered secret in the registries section i.e.username,password,token, andkey -
When using an Azure DevOps Artifact feed, only the
tokenproperty is required. The token notation should bePAT:${{VARIABLE_NAME}}otherwise the wrong authentication mechanism is used by Dependabot, see here for more details. When working with Azure DevOps Artifacts, some extra permission steps need to be done:- The PAT should have Packaging Read permission.
- The user owning the PAT must be granted permissions to access the feed either directly or via a group. An easy way for this is to give
Contributorpermissions the[{project_name}]\Contributorsgroup under theFeed Settings -> Permissionspage. The page has the url format:https://dev.azure.com/{organization}/{project}/_packaging?_a=settings&feed={feed-name}&view=permissions.
-
When using a NuGet package server secured with basic auth, the
username,password, andtokenproperties are all required. The token notation should be${{USERNAME}}:${{PASSWORD}}, see here for more details. -
When your project contains a
nuget.configfile with custom package source configuration, thekeyproperty is required for each nuget-feed registry. The key must match betweendependabot.ymlandnuget.configotherwise the package source will be duplicated, package source mappings will be ignored, and auth errors will occur during dependency discovery.If your
nuget.configlooks like this:<?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <clear /> <add key="nuget.org" value="https://api.nuget.org/v3/index.json" /> <add key="my-organisation1-nuget" value="https://dev.azure.com/my-organization/_packaging/my-nuget-feed/nuget/v3/index.json" /> </packageSources> <packageSourceMapping> <packageSource key="nuget.org"> <package pattern="*" /> </packageSource> <packageSource key="my-organisation-nuget"> <package pattern="Organisation.*" /> </packageSource> </packageSourceMapping> </configuration>
Then your
dependabot.ymlregistry should look like this:version: 2 registries: my-org: type: nuget-feed key: my-organisation1-nuget url: https://dev.azure.com/my-organization/_packaging/my-nuget-feed/nuget/v3/index.json token: PAT:${{MY_DEPENDABOT_ADO_PAT}}
Security-only updates ia a mechanism to only create pull requests for dependencies with vulnerabilities by updating them to the earliest available non-vulnerable version. Security updates are supported in the same way as the GitHub-hosted version. In addition, you can provide extra advisories, such as those for an internal dependency, in a JSON file via the securityAdvisoriesFile input e.g. securityAdvisoriesFile: '$(Pipeline.Workspace)/advisories.json'. A file example is available here.
A GitHub access token with public_repo access is required to perform the GitHub GraphQL for securityVulnerabilities.
If you'd like to contribute to the project or just run it locally, view our development guides for:
The work in this repository is based on inspired and occasionally guided by some predecessors in the same area:
- Official Script support: code
- Andrew Craven's work: blog, code
- Chris' work: code
- andrcun's work on GitLab: code
- WeWork's work for GitLab: code
Please leave all comments, bugs, requests, and issues on the Issues page. We'll respond to your request ASAP!