With recent security patches for Umbraco and a bit of time on my hands in the last few days, I finally setup dependabot!
For those who dont know dependabot can be used to scan a repos dependencies and do an update, as well as create a PR so you can review the changes etc, now of course it doesnt run the site for you or test it (at least not alone), but its one less step in the process for you to handle!
I first tried to do this with Umbraco 8 using a differrent tool nuKeeper, however Umbraco 8 could only be updated using Visual studio or a zip, due to the need for the console, many an hour spent on that one!
With the release of 9 and changes with nuget Umbraco had to change how they delivered the package. Meaning we can now automate! Just like cloud.
In the root of your git repo, add a .github/dependabot.(yml/yaml). This is where we will configure dependabot. There is a few difference depending on the platform you are using so lets cover the basics here and then move on to platform differences.
# Enable version updates for nuget
- package-ecosystem: nuget
# Directory to start searching from
# how many open PRs dependabot can have
# Where the PRs should target
# Name of dependency to ignore wildcards are allowed
- dependency-name: "*"
# Update types to ignore
Here you can see I am ignoring major releases as Id rather tackle those directly, The full documentation can be found over on Github. There you will also find you can also update from other packages including npm and docker.
This is the only file you need! You can also create it using the UI follow the guide
The only thing missing here is when to run the updates! The simplest way is to add
schedule.interval which has a few options
Interval types Frequency
daily Runs on every weekday, Monday to Friday.
weekly Runs once each week. By default, this is on Monday. To modify this, use schedule.day.
monthly Runs once each month. This is on the first day of the month.
Schedule can do more complex things of course, Github docs. That's it you'r up and running.
As Dependabot is a github tool we have to do a bit of extra work to get it to run. First we are going to need the unoffical dependabot wrapper for Azure devops from the store, right now this is the only way I know of to get setup. Once this is installed we need to create a new Azure pipeline and configure the yml file
- cron: "0 1 * * 0" # 1am Sunday UTC
always: true # run even when there are no code changes
displayName: Weekly dependency check
vmImage: "ubuntu-latest" # requires macos or ubuntu (windows is not supported)
- task: dependabot@1
The task does have a few configuration options which you can find on Github.
If you have followed this hopefully you have a few PRs to run though :D, unfortunatly there is no way to get dependabot to do a single PR with all the updates, however a few pipeline updates or a Github PR workflow could allow you to do alot more.
At the very least at least you will know if something builds and tests pass.