dependabot-circleci

dependabot-circleci is, as its name suggests, a small dependabot for CircleCI orbs and container images. We have created this as at the time of creation it was nearly impossible to get changes into the official dependabot.

---

Getting Started

1. Install the dependabot-circleci GitHub App in your organization.
2. You enable dependabot-circleci on specific repositories by creating a dependabot-circleci.yml configuration file in your repository's .github directory. dependabot-circleci then raise pull requests to keep the dependencies you configure up-to-date.

Example dependabot-circleci.yml file

The example dependabot-circleci.yml file below configures version updates. If it finds outdated dependencies, it will raise pull requests against the target branch to update the dependencies.

# example dependabot-circleci.yml file

assignees:
  - github_username # for a single user
  - org/team_name # for a whole team (nested teams is the same syntax org/team_name)
labels:
  - label1
  - label2
reviewers:
  - github_username # for a single user
  - org/team_name # for a whole team (nested teams is the same syntax org/team_name)
target-branch: main
directory: "/.circleci/config.yml" # Folder where the circleci config files are located
schedule: "monthly" # Options are (daily, weekly, monthly)

dependabot-circleci will recursively scan all the files and folders in the directory specified in the directory field for CircleCI config files. If it finds any outdated dependencies, it will raise pull requests against the target branch specified in the target-branch field. dependabot-circleci will scan a maximum of 100 entities(folders or yaml/yml files).

---

Configuration options for dependency updates

The dependabot-circleci configuration file, dependabot-circleci.yml, uses YAML syntax. You must store this file in the .github directory of your repository.

Option	Required	Description	Default
assignees		Assignees to set on pull requests	n/a
labels		Labels to set on pull requests	n/a
reviewers		Reviewers to set on pull requests	n/a
target-branch		Branch to create pull requests against	Default branch in the repo
directory		Path to the circleci config file, or folder to be scanned	/.circleci/config.yml
schedule		When to look for updates	daily

---

Contributing

We are open for issues, pull requests etc.

Running locally

1. Clone the repository
2. Make sure to have your secrets file in place 2.1 BESTSELLER folks can use Harpocrates to get them from Vault.

   harpocrates -f secrets-local.yaml --vault-token $(vault token create -format=json | jq -r '.auth.client_token')

   2.2 Others will have to fill out this template in any other way.

   {
     "datadog": {
       "api_key": ""
     },
     "github": {
       "app": {
         "integration_id": "",
         "private_key": "",
         "webhook_secret": ""
       },
       "oauth": {
         "client_id": "",
         "client_secret": ""
       },
       "v3_api_url": "https://api.github.com/"
     },
     "http": {
       "token": ""
     },
     "server": {
       "port": 3000,
       "public_url": ""
     },
     "bestseller_specific": {
       "token": ""
     }
   }

3. Run dependabot-circleci by using Docker compose

   --build will ensure that the latest version of the code is used

   docker-compose up --build

4. Test worker by sending a POST request to http://localhost:3000/worker with the following payload

   curl --request POST \
   --url http://localhost:3000/start \
   --header 'Content-Type: application/json' \
   --data '{"Org":"BESTSELLER","Repos": ["dependabot-circleci"]}'

5. If you want to debug the worker without docker:
   1. Add the env vars from the docker-compose file to your local environment to match the worker
   2. Run/Debug in your IDE with the -worker flag