Dependabot is an open source for checking the new version of the libraries in the project and creating the
Pull request(Merge request) automatically in
- Dependabot: https://github.com/dependabot
Dependabot is made for
GitHub at the first time, but now it becomes open source be able to use everywhere. So,
GitLab also supports
Dependabot for you to use it.
- Dependabot for GitLab: https://gitlab.com/dependabot-gitlab/dependabot
Ultimate plan is required to use
Dependabot provided by
- Dependency Scanning https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
In this blog post, I will introduce how to add
self-managed GitLab for not the
Add dependabot-script to GitLab
GitLab, you need to make an environment for it.
Dependabot provides the
dependabot-script repository for the environment to execute
So, you need to import the
GitLab by following the steps.
- Insert and add
Repository by URL
And then, insert the
dependabot-script repository URL below to
- Repository URL: https://github.com/dependabot/dependabot-script
Create GitLab token
dependabot-script repository will access the other repositories and check the version. And then, when the new versios exist, The
dependabot-script repository creates
Merge request automatically. So,
Personal Access Token is required to access the other repositories and make
Personal Access Token with the
Create GitHub token
dependabot-script repository uses
GitHub API to check the library versions.. So To use
GitHub API, you need to create
Personal access token of
After login on
GitHub, click the profile image on the right top. And then, click
Settings to go to the settings page.
Developer settings on the bottom of the left menu on the settings peage. And then, click
Personal access tokens >
Token (classic) to go to creating
Token with the
public_repo permission of
Create CI/CD variables
Next, you need to configure
Pesonal Access Token to the
CI/CD variables in
dependabot-script repository, click
And then add
Personal Access Token of
- Key: GITLAB_ACCESS_TOKEN
- Value: token
Personal Access Token of
- Key: GITHUB_ACCESS_TOKEN
- Value: token
If you use
selfd-managed GitLab, you may need to configure
GITLAB_HOSTNAME like the following.
- Key: GITLAB_HOSTNAME
- Value: gitlab.dev-yakuza.com
Create .gitlab-ci.yml file
You can find the
.gitlab-ci.example.yml file in the
dependabot-script repository. Modify this file name to
Now, let’s create
Schedule to execute
Dependabot at regular interval to check that there are new versions of the libraries in the specific project and if there are, create
Schedule on the
At this time, you need to configure the specific project
Package manger to
/ (ex> dev-yakuza/deku-nextjs-boilerplate)
- PACKAGE_MANAGER_SET: project manager (ex> npm_and_yarn)
You can see
Package manager that you can configure to the
dependabot-script on the following link.
The list of
Package manager is like following.
- pip (includes pipenv)
And then, let’s execute
Schedule to check
Dependabot works well.
If there is no problem, you can see
Merge request is created on the repository that you set to
PROJECT_PATH like following.
ERROR: Job failed: failed to pull image dependabot/dependabot-script
Basically, you don’t need to modify the
.gitlab-ci.yml file. But due to the
GitLab configuration, the following error may occur.
ERROR: Job failed: failed to pull image "dependabot/dependabot-script" with specified policies [always]: Error response from daemon: pull acces s denied for dependabot/dependabot-script, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go: 237:2s)
In this case, you need to modify the
.gitlab-ci.yml file like following.
# build-image: # tags: # - shell # stage: build # script: # - docker build -t "dependabot/dependabot-script" -f Dockerfile . .dependabot: tags: - docker image: dependabot/dependabot-core before_script: - bundle install -j $(nproc) --path vendor variables: PACKAGE_MANAGER: $CI_JOB_NAME script: - bundle exec ruby ./generic-update-script.rb only: - schedules
After modifying it, when you execute
Schedule, you can see
Merge request create well.
Done! we’ve seen how to configure and execute
Dependabot by using
self-manged GitLab not the
Ultimate plan. If you use the newest version of the library, you can fix some security issues, and you don’t need to do a massive version update, so you don’t have to spend a lot of time on version updates.
Was my blog helpful? Please leave a comment at the bottom. it will be a great help to me!
Dekucreated the applications with Flutter.
If you have interested, please try to download them for free.