Dependabot is a really neat tool that helps keep your dependencies secure and up to date. It creates pull requests to your Git repositories with the updated dependencies. It works with a wide variety of package managers and languages like NPM/Yarn, Composer, Python, Ruby, Docker, Rust, and Go.
As someone who uses GitHub Enteprise, a little bit of extra work needs to be done in order to self-host Dependabot. After fiddling around with it for a few days, I've finally gotten it working, so I figured it would be worth writing up and sharing with everyone!
My setup consists of a server dedicated to running Docker containers, however any AMD64 system where Docker can run should do the trick. First I cloned the dependabot-script Git repository (I ran this in my /home/jimmy/Developer/github.com/dependabot directory - but you can put it wheverver you'd like):
git clone https://github.com/dependabot/dependabot-script.gitNext, I pulled the dependabot-core Docker image:
docker pull dependabot/dependabot-coreOnce the Docker image has been pulled we need to run it to install some dependencies:
docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendorMake sure you're in the cloned dependabot-script directory (/home/jimmy/Developer/github.com/dependabot/dependabot-script directory for me) when you run that. It shouldn't take very long to run.
Next we need to make a little change to fix an issue which seems to prevent Dependabot from running properly. So let's run this:
docker run -d -v "$(pwd):/home/dependabot/dependabot-script" \
-w /home/dependabot/dependabot-script \
dependabot/dependabot-core sleep 300This will start up Dependabot as a detached container and it'll sleep for 300 seconds before exiting. This should give us enough time to run a couple commands. Once the above command has been run, use the following command to enter into the container:
docker ps |grep dependabot-core # get the id of the container
docker exec -it $containerId bashYou should now be inside your Dependabot container. I was able to find this issue on GitHub which allowed me to fix and run Dependabot without issue. We need to edit the Gemfile - which can be done while inside the container or outside, it's up to you. I initially did it from inside the container, but either works. Since nano wasn't available I had to install that first, I didn't check to see if vi or vim were but if they aren't you can use a similar approach. From within the container I ran:
apt -y update && apt -y install nano
nano GemfileI then edited:
gem "dependabot-omnibus", "~> 0.118.8"to
gem "dependabot-omnibus", "~> 0.130.2"Save and exit. Then run:
bundle _1.17.3_ install
bundle _1.17.3_ updateOnce that was done, I exited the container and attempted to run Dependabot normally.
docker run --rm -v "$(pwd):/home/dependabot/dependabot-script" \
-w /home/dependabot/dependabot-script \
-e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN \
-e GITHUB_ENTERPRISE_HOSTNAME=$GHE_HOSTNAME \
-e GITHUB_ENTERPRISE_ACCESS_TOKEN=$GITHUB_ENTERPRISE_ACCESS_TOKEN \
-e PROJECT_PATH=jimmybrancaccio/emil-scripts \
-e PACKAGE_MANAGER=composer \
dependabot/dependabot-core bundle exec ruby ./generic-update-script.rbI recommend going to GitHub.com and setting up a personal access token (I only checked off the repo checkbox - but even that might not be needed). This allows you to make more requests to the GitHub.com API. Without this I ran into API rate-limiting quickly. If you do create a personal access token for GitHub.com replace $GITHUB_ACCESS_TOKEN with your token, otherwise just remove that whole line. Next you'll want to replace $GHE_HOSTNAME with your actual GitHub Enterprise hostname. You can either replace $GITHUB_ENTERPRISE_ACCESS_TOKEN with a personal access token from your GitHub Enterprise of your own account, or what I did was I created a separate account for Dependabot and generated a personal access token for that account. After that you just need to make sure PROJECT_PATH and PACKAGE_MANAGER have proper values.
I wrote a very simple Bash script with essentially a bunch of those Docker run "blocks". Once for each repository that I wanted Dependabot to monitor. I setup a cronjob for the script to run once a day as well. You can set that part of it up as you see fit though.