Self-Hosting Dependabot via Docker
Dependabot is a really neat tool that helps keep your dependencies secure and up to date. It creates pull requests to your Git repositories with the updated dependencies. It works with a wide variety of package managers and languages like NPM/Yarn, Composer, Python, Ruby, Docker, Rust, and Go.
As someone who uses GitHub Enteprise, a little bit of extra work needs to be done in order to self-host Dependabot. After fiddling around with it for a few days, I've finally gotten it working, so I figured it would be worth writing up and sharing with everyone!
My setup consists of a server dedicated to running Docker containers, however any AMD64 system where Docker can run should do the trick. First I cloned the
dependabot-script Git repository (I ran this in my
/home/jimmy/Developer/github.com/dependabot directory - but you can put it wheverver you'd like):
git clone https://github.com/dependabot/dependabot-script.git
Next, I pulled the
dependabot-core Docker image:
docker pull dependabot/dependabot-core
Once the Docker image has been pulled we need to run it to install some dependencies:
docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor
Make sure you're in the cloned
dependabot-script directory (
/home/jimmy/Developer/github.com/dependabot/dependabot-script directory for me) when you run that. It shouldn't take very long to run.
Next we need to make a little change to fix an issue which seems to prevent Dependabot from running properly. So let's run this:
docker run -d -v "$(pwd):/home/dependabot/dependabot-script" \ -w /home/dependabot/dependabot-script \ dependabot/dependabot-core sleep 300
This will start up Dependabot as a detached container and it'll sleep for 300 seconds before exiting. This should give us enough time to run a couple commands. Once the above command has been run, use the following command to enter into the container:
docker ps |grep dependabot-core # get the id of the container docker exec -it $containerId bash
You should now be inside your Dependabot container. I was able to find this issue on GitHub which allowed me to fix and run Dependabot without issue. We need to edit the Gemfile - which can be done while inside the container or outside, it's up to you. I initially did it from inside the container, but either works. Since
nano wasn't available I had to install that first, I didn't check to see if
vim were but if they aren't you can use a similar approach. From within the container I ran:
apt -y update && apt -y install nano nano Gemfile
I then edited:
gem "dependabot-omnibus", "~> 0.118.8"
gem "dependabot-omnibus", "~> 0.130.2"
Save and exit. Then run:
bundle _1.17.3_ install bundle _1.17.3_ update
Once that was done, I exited the container and attempted to run Dependabot normally.
docker run --rm -v "$(pwd):/home/dependabot/dependabot-script" \ -w /home/dependabot/dependabot-script \ -e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN \ -e GITHUB_ENTERPRISE_HOSTNAME=$GHE_HOSTNAME \ -e GITHUB_ENTERPRISE_ACCESS_TOKEN=$GITHUB_ENTERPRISE_ACCESS_TOKEN \ -e PROJECT_PATH=jimmybrancaccio/emil-scripts \ -e PACKAGE_MANAGER=composer \ dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb
I recommend going to GitHub.com and setting up a personal access token (I only checked off the repo checkbox - but even that might not be needed). This allows you to make more requests to the GitHub.com API. Without this I ran into API rate-limiting quickly. If you do create a personal access token for GitHub.com replace
$GITHUB_ACCESS_TOKEN with your token, otherwise just remove that whole line. Next you'll want to replace
$GHE_HOSTNAME with your actual GitHub Enterprise hostname. You can either replace
$GITHUB_ENTERPRISE_ACCESS_TOKEN with a personal access token from your GitHub Enterprise of your own account, or what I did was I created a separate account for Dependabot and generated a personal access token for that account. After that you just need to make sure
PACKAGE_MANAGER have proper values.
I wrote a very simple Bash script with essentially a bunch of those Docker
run "blocks". Once for each repository that I wanted Dependabot to monitor. I setup a cronjob for the script to run once a day as well. You can set that part of it up as you see fit though.