GitHub's Dependabot and Actions

I sent this to a friend who I’d been talking to about automation things, they probably didn’t expect this huge wall of text 😁 Since this isn’t a DM over social media, I’ve included the code and cleaned up the links, and shared it so hopefully I can find it in the future and it’ll help someone else who’s interested.

I’ve had this on my todo list so here goes.. I was going on about how cool Dependabot is, and how it automagically makes Pull Requests (PRs) for updating packages in repositories… since you asked for some details it’s probably easiest to show an example of how I’ve got it set up.

I have a repository which contains a Python package: yaleman/pyaussiebb.

Here’s the configuration file for Dependabot version updates. It says Every 2AM on a Saturday (AEST) look at the base directory for anything using pip (Python’s package manager) and create update PRs.

version: 2
- package-ecosystem: pip
  directory: /
    interval: weekly
    day: saturday
    time: "02:00"
    timezone: "Australia/Brisbane"

Here’s an example PR automagically created by the system. In the PR’s description it includes the release notes and changelog from the Python requests package to allow for simpler review. GitHub also computes a compatibility score across its ecosystem, giving it a score on how likely things are to work on your PR.

Dependabot PR in yaleman/pyaussiebb

This is also helped by GitHub Actions. I have actions in my repositories that run testing/linting on the code which are set to run when any PRs are created or when code is merged into certain branches.

Configuration for the pytest action in the above repository is here:

name: Run pytest

      - main  # Set a branch to deploy
    runs-on: ubuntu-latest
      - uses: actions/checkout@v2
          fetch-depth: 0    # Fetch all history for .GitInfo and .Lastmod
      - name: Set up Python 3.9
        uses: actions/setup-python@v2
          python-version: '3.9'
      - name: Running pytest
        run: |
          python --version
          python -m pip install --quiet --no-cache-dir --upgrade poetry
          poetry install
          poetry run python -m pytest test_mocked_*          

The “on” block tells Actions when I want it to run - when I push to the “main” branch, or any PRs are created. The “jobs” block defines tasks to run, and you can have them in a load of different combinations, but this one’s a single “install python and the package, then run pytest”.

Going back to the example PR, the pylint check was run and passed, so it allowed one of my other external automations to go “yep, tests passed, merge!”. The actions outputs/status show on the “steps” tab here.

You don’t have to just use the GitHub Actions runners; if you’re running Jenkins or another CI/CD platform then GitHub can integrate and include that in the workflows as well.

Another thing Dependabot can do is provide security scanning and alerting. GitHub has built a whole ecosystem around security alerting and you can tell it to scan and flag them as well - it’s all about linking issues to packages. It creates alerts in repositories (and at an account/organization level), and if there’s a patch to fix it, they’ll create a PR as well. You can flag things as “this isn’t applicable” or “work is in progress” which can be helpful to folks doing auditing.

Example GitHub Security Alert - Django Infinite Loop

#github #howto #dependabot #github actions #automation