Integrating Dependabot with GitHub Enterprise using Jenkins
Dependabot is a GitHub bot that scans your repositories for outdated dependencies, then opens PRs to update them. Although the code supports GitHub Enterprise, the hosted version of Dependabot only supports GitHub.com. This post will walk you through setting up dependabot-core so that it can scan for outdated dependencies in a GitHub Enterprise repository, using Jenkins to run it.
Firstly, most of the credit should go to the dependabot team who have made the core code freely available, published a Docker image containing it, and written a script that automates the process.
Secondly, this assumes you have a GitHub Enterprise instance available at https://github.example.com, and
Jenkins at https://jenkins.example.com. Change the URLs as appropriate in the following instructions.
1. Set Up Credentials
You will need both GitHub Enterprise and GitHub.com personal access tokens. You can create these at
https://github.example.com/settings/tokens and https://github.com/settings/tokens. Select the
repo scope when creating the tokens. PRs opened by Dependabot will be created by the GitHub user who creates the tokens.
These credentials need to be stored safely in Jenkins. Go to https://jenkins.example.com/credentials/store/system/domain/_/newCredentials
and create two new Secret text credentials (one per PAT) as follows:
- Scope: Global
- Secret: (paste personal access token here)
- ID:
dependabot-github-enterprise/dependabot-github-com(ID based on PAT) - Description: Dependabot PAT for GitHub Enterprise / Dependabot PAT for GitHub (name based on PAT)
2. Create the Jenkins Job
The Dependabot build can run for one package manager at a time. These instructions configure it for NuGet. The other available options are listed here; adjust the script as necessary.
At Jenkins, create a new Freestyle job named Dependabot-NuGet with the following configuration:
- GitHub project > Project url: https://github.com/dependabot/dependabot-script/
- This project is parameterized
- Add a String Parameter:
- Name: PROJECT_PATH
- Description: GitHub repository name, including org
- Add a String Parameter:
- Restrict where this project can be run: (This job requires a Linux build node that has access to Docker, select as appropriate)
- Source Code Management: Git
- Repository URL: https://github.com/dependabot/dependabot-script.git
- Build Environment
- Use secret text(s) or file(s) - Add the following Bindings
- Secret text
- Variable: GITHUB_ENTERPRISE_ACCESS_TOKEN
- Credentials: Dependabot PAT for GitHub Enterprise
- Secret text
- Variable: GITHUB_ACCESS_TOKEN
- Credentials: Dependabot PAT for GitHub
- Secret text
- Use secret text(s) or file(s) - Add the following Bindings
- Build
- Execute shell
docker pull dependabot/dependabot-core:latest
docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor
docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script -e GITHUB_ENTERPRISE_HOSTNAME=github.example.com -e GITHUB_ENTERPRISE_ACCESS_TOKEN=$GITHUB_ENTERPRISE_ACCESS_TOKEN -e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN -e PACKAGE_MANAGER=nuget -e PROJECT_PATH=$PROJECT_PATH dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb
Click Save to create the job.
3. Run the Jenkins Job
At https://jenkins.example.com/job/Dependabot-NuGet/, Click Build with Parameters. You will be prompted for PROJECT_PATH;
enter MyOrg/MyRepo. Click Build to start.
The build should run, and list all the out-of-date dependencies it found; it will open a PR on GitHub Enterprise for each outdated dependency.
Posted by Bradley Grainger on December 13, 2019