Over the past couple of years, I’ve built a number of tools that are delivered as Docker containers. Part of the workflow I’ve setup involves automatic container builds using GitHub Actions.
It works great – I commit to the main or dev branches and I get a new container version tagged as :latest or :dev, respectively. I create a new release version, and I get a new container version tagged as :version-number.
BUT, and there’s a but. There’s always a but, right? I’m talking about automatically updating the individual actions in my actions scripts to keep pace with new releases. Doing that manually is work for just 1 container. For a bunch? Forget it.
Dependabot has entered the chat.
What does Dependabot do? Its purpose in life is to look through your repo and keep versions of various bits up to date. Simple, right? Ok, like I said before, I’ve got a number of containers I maintain. Between my container build and old version cleanup scripts, I use 7 actions. Multiply that times 14 container repos, and that’s a total of 98 action instances to keep up to date. Hands up, who wants to do that by hand? Nope.
The other thing I’m using Dependabot for is to keep certain bits in my Dockerfiles up to date as well. The main one I look out for is the python:3.x slim images. All of this is configured using a YAML file that I drop in the repo as /.github/dependabot.yml . Here’s an example dependabot.yml file:
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule: {interval: weekly}
reviewers: [jcostom]
assignees: [jcostom]
- package-ecosystem: docker
directory: /
schedule: {interval: weekly}
reviewers: [jcostom]
assignees: [jcostom]
This example will review my actions scripts as well as my Dockerfiles weekly and propose updates in the form of pull requests.
Lots of great tutorials exist out there on Dependabot. Hopefully this piece has generated enough interest to get you started!
Automating All the Things. 