Automated Dependency Management: Harnessing Dependabot for Seamless Updates on Azure DevOps

Sugam AroraSugam Arora
6 min read

Introduction

In the ever-evolving landscape of software development, managing dependencies is paramount to ensure the stability, security, and efficiency of your projects. One powerful tool that streamlines this process is Dependabot, a trusted automated dependency management service. In this article, we will delve into the seamless integration of Dependabot with Azure DevOps, empowering you to effortlessly keep your dependencies up-to-date and your projects secure.

How Dependabot Works

Dependabot operates by scanning the dependency files in your project’s repository to identify any outdated or insecure dependencies. It uses version constraints from these files (e.g., package.json, Gemfile) to determine the latest versions that are compatible with your project. Dependabot then checks for updates by querying package registries (such as npm, RubyGems, and Maven) to find newer versions.

When Dependabot discovers an outdated dependency, it creates a pull request (PR) to update that dependency to the latest compatible version. The PR includes details about the outdated version, the new version available, and any release notes or changelogs provided by the package maintainers.

Dependabot also considers dependency constraints, such as version ranges specified in your configuration files, ensuring that the updated dependency complies with these constraints. This helps prevent breaking changes from being automatically applied to your project.After creating a PR, Dependabot monitors it for any conflicts or feedback. If the PR is merged, Dependabot closes the associated issue and continues to monitor for future updates, repeating the process to keep your dependencies up to date.

While Dependabot is natively integrated with GitHub, I recently encountered the challenge of updating dependencies for a project hosted on Azure DevOps. To address this, here is a workaround to integrate Dependabot with Azure Pipelines.

GitHub Core & GitHub Script: Powering Development

GitHub Core and GitHub Script are essential components of GitHub’s ecosystem, providing powerful capabilities for developers to enhance their workflows and automate tasks.

GitHub Core serves as the foundational framework for various GitHub features and functionalities, ensuring the smooth operation of repositories, issues, pull requests, and more. It forms the backbone of GitHub’s user interface and backend processes, enabling seamless collaboration and version control for teams worldwide.

On the other hand, GitHub Script offers a collection of scripts and tools that extend GitHub’s functionality, allowing developers to automate repetitive tasks, customize workflows, and integrate with third-party services. These scripts leverage GitHub Actions, empowering users to build, test, and deploy their code directly from their repositories.

Together, GitHub Core and GitHub Script exemplify GitHub’s commitment to providing developers with robust tools and resources to streamline their development processes and enhance productivity.

Dependabot & Azure DevOps Integration

Step 1: Install the Dependabot extension in your Azure DevOps organization

First, we will install the Dependabot extension in the Azure DevOps organization. To ensure we have access to this extension, we can check our “Organization Settings” in Azure DevOps.

Organization Settings

Extensions

If the extension is not installed, we need to navigate to the Azure DevOps Extension Marketplace and search for “Dependabot,” we will discover an extension developed by Tingle Software. This extension facilitates the seamless integration of Dependabot with our repositories in Azure DevOps.
You can find the Azure DevOps Extension Marketplace here

Marketplace

Dependabot Extension

Step 2: Configuring Project Collection Build Service Access for Dependabot Pull Requests

The next step is to grant the Project Collection Build Service access to your repository. This allows Dependabot to create pull requests in your project’s repositories. To grant the Project Collection Build Service access to your repository, follow these steps:

Navigate to your project settings in Azure DevOps and select the repository where you’ve integrated the pipeline. In the repository settings, locate the “Security” tab and search for “Project Collection Build Service.” Once found, ensure the following access permissions are enabled for the service:

  • Contribute

  • Contribute to pull request

  • Create Branch

  • Create Tag

  • Force Push

  • Read

These permissions allow Dependabot to create pull requests and make necessary changes to your repository, ensuring smooth integration with your Azure Pipelines.

Security Permissions

Step 3 : Automating Terraform Dependency Updates in Azure DevOps with Dependabot

Once the Dependabot extension is installed and permissions are set, you can set up Dependabot for your Azure DevOps repositories to scan for dependencies using an Azure DevOps Pipeline. Here’s how:

  • Go to your Azure DevOps project and locate the Git repository you want to set up Dependabot for

  • Add a configuration file stored at .github/dependabot.yml, conforming to the official specification. This file will define how Dependabot should check for updates and create pull requests for your Terraform dependencies.

Dependabot.yml script

# Welcome to Dependabot! This configuration file helps you automate version
# updates for your Maven dependencies. Specify the package ecosystems to update
# and where the package manifests are located. For more options, see the docs:
#https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Define the package ecosystem and directory for Maven dependencies
- package-ecosystem: "maven"
directory: "/"
# Limit the number of open pull requests to prevent flooding
open-pull-requests-limit: 20
schedule:
# Set the interval for Dependabot to check for updates
interval: "daily"
# Uncomment the line below to check for updates every day
# interval: "daily"

Dependabot.yml

This configuration file not only sets up Dependabot for Maven dependencies but also provides clear and concise explanations for each section, making it easier for others to understand and maintain.

Step 3: Create a new YAML file for your Azure Pipeline

Now that we have our Dependabot configuration file in place, we can set up our Azure DevOps Pipeline to run the Dependabot scan. Follow these steps:

  • Go to your Azure DevOps project.

  • Create a new Pipeline.

  • Select your Git repo.

  • Choose the Starter Pipeline template or copy the following YAML code into a .yaml file to be used:

# Dependabot
# Maven
# Build your Java project and run tests with Apache Maven.
# Add steps that analyze code, save build artifacts, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/java
trigger:
- master
schedules:
- cron: "0 0 * * *"
displayName: Every midnight
branches:
include:
- main
always: true
pool:
name: TestAgent
demands:
- Agent.Name -equals NewAgent
stages:
- stage: CheckDependencies
displayName: 'Check Dependencies'
jobs:
- job: Dependabot
displayName: 'Run Dependabot'
variables:
- name: DIRECTORY_PATH
value: /
- name: PACKAGE_MANAGER
value: maven
- name: PROJECT_PATH
value: sugamarora23/_git/DriveEasy
# Optional : User to assign to the created pull request
# Name : Assignee
# value : any
steps:
- task: dependabot@1
displayName: 'Run Dependabot'
inputs:
failOnException: false
- script: git clone https://github.com/dependabot/dependabot-script.git
displayName: Clone Dependabot config repo
- script: |
cd dependabot-script
docker build -t "dependabot/dependabot-script" -f Dockerfile .
displayName: Build Dependabot Image
- script: |
docker run - rm -e AZURE_ACCESS_TOKEN='$(PAT)' \
-e GITHUB_ACCESS_TOKEN='$(GHPAT)' \
-e PACKAGE_MANAGER='$(PACKAGE_MANAGER)' \
-e PROJECT_PATH='$(PROJECT_PATH)' \
-e DIRECTORY_PATH='$(DIRECTORY_PATH)' \
dependabot/dependabot-script
displayName: Dependabot

This YAML pipeline includes the Maven build step before initializing and running Dependabot for Maven. Adjust the paths and Maven goals as per your project requirements.

In the pipeline script, we have defined two important variables: PAT, which stands for Personal Access Token, and GHPAT, which stands for GitHub Access Token. These tokens play a crucial role in enabling secure and authenticated interactions with Azure DevOps and GitHub, ensuring that our pipeline runs smoothly and securely.

Pipeline

Pipeline Status

Pipeline Logs

Pull Requests by Dependabot

Conclusion

In conclusion, the integration of Dependabot with Azure DevOps revolutionizes the management of dependencies, enhancing the security, stability, and efficiency of your projects. By automating the process of dependency updates, this integration streamlines workflows, saves time, and ensures that your codebase remains secure and up-to-date. Embrace this powerful combination to elevate your development practices and deliver higher-quality software with confidence.

Thank you for taking the time to read my blog. Your feedback is immensely valuable to me. Please feel free to share your thoughts and suggestions.

40
Subscribe to my newsletter

Read articles from Sugam Arora directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sugam Arora
Sugam Arora