Dependabot is a GitHub bot that scans your repositories for outdated dependencies, then opens PRs to update them. Although the code supports GitHub Enterprise, the hosted version of Dependabot only supports GitHub.com. This post will walk you through setting up dependabot-core so that it can scan for outdated dependencies in a GitHub Enterprise repository, using Jenkins to run it.
Firstly, most of the credit should go to the dependabot team who have made the core code freely available, published a Docker image containing it, and written a script that automates the process.
Secondly, this assumes you have a GitHub Enterprise instance available at
https://jenkins.example.com. Change the URLs as appropriate in the following instructions.
You will need both GitHub Enterprise and GitHub.com personal access tokens. You can create these at
https://github.com/settings/tokens. Select the
repo scope when creating the tokens. PRs opened by Dependabot will be created by the GitHub user who creates the tokens.
These credentials need to be stored safely in Jenkins. Go to
and create two new Secret text credentials (one per PAT) as follows:
dependabot-github-com(ID based on PAT)
The Dependabot build can run for one package manager at a time. These instructions configure it for NuGet. The other available options are listed here; adjust the script as necessary.
At Jenkins, create a new Freestyle job named Dependabot-NuGet with the following configuration:
docker pull dependabot/dependabot-core:latest docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script -e GITHUB_ENTERPRISE_HOSTNAME=github.example.com -e GITHUB_ENTERPRISE_ACCESS_TOKEN=$GITHUB_ENTERPRISE_ACCESS_TOKEN -e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN -e PACKAGE_MANAGER=nuget -e PROJECT_PATH=$PROJECT_PATH dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb
Click Save to create the job.
https://jenkins.example.com/job/Dependabot-NuGet/, Click Build with Parameters. You will be prompted for PROJECT_PATH;
MyOrg/MyRepo. Click Build to start.
The build should run, and list all the out-of-date dependencies it found; it will open a PR on GitHub Enterprise for each outdated dependency.
Posted by Bradley Grainger on December 13, 2019