--- title: Dependabot author: mo (xlgmokha) (he/him) date: 2021-11-17 --- # Dependabot ```plaintext =----------------------------------------------------------------------= ------------------------------------------------------------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------ ---------------------------------*@@@@@@@------------------------------- --------------------------------:*@@@@@@@------------------------------- --------------------------------:#@@@@@@@------------------------------- ---------------------------------+%%%%@@@------------------------------- --------------------------------------*@@=------------------------------ ----------------*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*---------------- ---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=--------------- ---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=--------------- ---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=--------------- ---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=--------------- --------------:-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-:-------------- -------------+%%@@@@@@@@@@@@%+--+@@@@@@@@@@@@%+--#@@@@@@%%+------------- -------------#@@@@@@@@%=-=#*-::=*@@@@@@%=-+#+-:-=#@@@@@@@@#------------- -------------#@@@@@@@@@+-:-:-=#@@@@@@@@%=-:-:-=#@@@@@@@@@@#------------- -------------#@@@@@@@@@@%+-=#@@@@@@@@@@@@%+-=#@@@@@@@@@@@@#------------- -------------#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#------------- -------------=+*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*+=------------- --------------:-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-:-------------- ---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=--------------- ----------------#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#---------------- ------------------===============------===============------------------ ---------------------------------*####*--------------------------------- --------------------------------#@@@@@@#-------------------------------- --------------------------------@@@@@@@@-------------------------------- -------------------------------+@@@@@@@@+------------------------------- -------------------------------%@@@@@@@@%------------------------------- -------------------------------%@@@@@@@@%------------------------------- --------------------------------+@@@@@@+-------------------------------- --------------------------------:-#@@#-:-------------------------------- =----------------------------------==----------------------------------= ``` Based on a true story. # $ whoami ```plaintext mo khan @xlgmokha Senior Software Engineer Dependabot LfCCtt11fffLttftfttt11ttL08888888888 tfLCCLLLCLft1tttttttfG8@@@88@@@@@@@8 CCCCCCCLtiiiii11111itLG8@8@88888008@ CCCCCGf;;;iiiii11tt11i1tLGfttt111ii1 CCCCGf;ii;;;;;i1fft1;:,:ift1111iff11 CCCGL::;,,,,,,::;1fi:,:;:;Lftt11ffff CCCGi,:,::,:,.,,:itf1:;;:1CL11111tt1 CCCGi,::,.:1;,,;iitfCLt11fG0Lffff1tt CCCCf:::;::::;iii1tffLCLftfLGLt1iii1 LLLC1::it1t1tt1;i;,,;i,:1i;i1L1,...: LLLLf::;11t11i;;:.,,::;tft;:;tt. . ffffL1::;;;;::;;;;;;;;i1tti;;1fi;ii1 tttttt;:::::,,,,::::;;i1tfffi1fC8088 1111tit1::::::::,:::;;::;ttftttiCGG0 iiii;;i;i;:,::::::::::;i1tttft1if0G0 ti;::;;;i11;,,,::::;;;;;;iiii11;f0G0 ffft1fCCCG0Cfi:::::,,::;;;;:;;:;CGG0 ;fGGG0000GGCGLi;:::::;;;;::::,:CGCG0 ``` # Agenda 1. What is Dependabot? 1. Dependabot on dotcom 1. Dependabot on GHES 1. Community 1. Help Wanted I talk fast. Try to keep up. 😅 # What is Dependabot? ```yaml # .github/dependabot.yml version: 2 updates: - package-ecosystem: "bundler" directory: "/" schedule: interval: "daily" ``` | | V ```diff --- a/Gemfile.lock +++ b/Gemfile.lock @@ -78,7 +78,7 @@ GEM minitest (5.14.4) - net-hippie (1.0.0) + net-hippie (1.1.1) nio4r (2.5.8) ``` # Map of Dependabot (dotcom) ```plaintext -------------- ||-------------| || $ git push |-o-o-o-o- || | o --------------- | \ 000000000000 \ o \ 000000000000 \ | \ \ \ \ o ---------------- | o-o-o-o-o-o-o-o-o- | o ------|---------------------------- | v GitHub DC | | ---------- | | | dotcom | | | ---------- | | | ----------- | | |- webhooks, --> | 🤖-api | | | hyro -----|----- | -------------------------|--------- | -------------------------|--------- --------------- | AWS | | |->-|... | | --------|------ | | --------------- | ----------| SQS Queue | | | --------------- | |V |(o,x,o,o,x,...)| | |>--| pypi.org | | V| --------------- | | --------------- | || | | --------------- | -------- | |-->| rubygems.org| | |🤖-updater|\ | | --------------- | --------\||\ <- The | | --------------- | \________\||| ~magic~ danger | |->-| npmjs.org | | \ \|| happens | | --------------- | \-----|---| here. | | |----------|----------------------| | | | |-------------------------- ``` # Dependabot - Runtime (dotcom) ```plaintext | V __|___ |-<-() SQS ) V ------ | ---------------V---------------------------------- | ec2-metal | | | V | | -------|------ | | | job runner | | -------------- | -------------- | |->|... | | / \----------------------- | | -------------- | | | docker | | |->|pypi.org | | | | -------------------- | | | -------------- | (export env) | | 🤖-proxy ->->->->-|->|rubygems.org| | | | -|------------------ | | | -------------- | | ---|------------------- | |->|npmjs.org | | | A | -------------- | -----------------------|----- | | | firecracker vm A |\ | | | | ||\ | | | ------------- A |||\ | | | | job guest | | |||| | | | ------------- A |||| | | | | | | |||| | | | ---------------------A---- |||| | | | | docker | | |||| | | | | -------------------|-- | |||| | | | | | 🤖-updater | | |||| | | | | ---------------------- | |||| | | | |------------------------- |||| | | ------------------------------||| | -------------------------------------------------- ``` # Map of Dependabot (GHES) ```plaintext -------------- ||-------------| || $ git push |-o-o-o-o- || | o --------------- | \ 000000000000 \ o \ 000000000000 \ | \ \ \ \ o ---------------- | o-o-o-o-o-o-o-o-o- | o ------|---------------------------- | v GitHub DC | | ---------- ---------- | | | dotcom | | Actions | | | ---------- -----A----- | | | -----|----- | | |- webhooks, --> | 🤖-api | | | hyro ----------- | ----------------------------------- ``` # Dependabot - Runtime (GHES) ```plaintext ----------------------- | dependabot/action | | | | ----------------- | | | docker | | | | | | -------------- | | -------------- | | |->|... | | | | 🤖-updater | | | | -------------- | | ----------|--- | | |->|pypi.org | | | ----------V--- | | | -------------- | | | 🤖-proxy --|-------->|rubygems.org| | | -------------- | | | -------------- | -----------------| | |->|npmjs.org | |--------------------- -------------- ``` # Dependabot - Community ```plaintext -------------------------- ------------------------ | 🤖-updater (private) | | 🤖-core (public OSS)| -------------------------- ------------------------ | /bin | | /bin | | - run.sh fetch|update | | - dry-run.rb | | /lib | | /bundler | | - fetch.rb | | - file_fetcher | | - update.rb | | - file_parser | | Gemfile | | - file_updater | | - dependabot-omnibus |----> | - update_checker | | - dependabot-bundler | | /npm | | - dependabot-npm | | /python | | - dependabot-python | | /... | | - dependabot-... | | | -------------------------- ------------------------ ``` **dependabot/dependabot-core** is a public repo that accepts community contributions. * 50+ Open Pull Requests * 700+ Open Issues * 140+ Contributors * Supports: * Azure * BitBucket * GitHub * GitLab * 15+ supported eco-systems * Used by 56 Public Repos * Oldest Open PR (2018) https://github.com/dependabot/dependabot-core # Dependabot - Community Contributions ```bash モ gh repo clone dependabot/dependabot-core モ cd dependabot-core モ ./bin/docker-dev-shell > image dependabot/dependabot-core-development already exists => running docker development shell [dependabot-core-dev] $ ``` # Dependabot - Community Contributions ```bash モ gh repo clone dependabot/dependabot-core モ cd dependabot-core モ ./bin/docker-dev-shell > image dependabot/dependabot-core-development already exists => running docker development shell [dependabot-core-dev] $ ./bin/dry-run.rb go_modules cli/cli ``` # Dependabot - Community Contributions ```bash モ gh repo clone dependabot/dependabot-core モ cd dependabot-core モ ./bin/docker-dev-shell > image dependabot/dependabot-core-development already exists => running docker development shell [dependabot-core-dev] $ ./bin/dry-run.rb go_modules cli/cli => cloning into /home/dependabot/dependabot-core/tmp/cli/cli => parsing dependency files => updating 34 dependencies: github.com/AlecAivazis/survey/v2, github.com/MakeNowJust/heredoc, github.com/briandowns/spinner, github.com/charmbracelet/glamour, github.com/cli/browser, github.com/cli/oauth, github.com/cli/safeexec, github.com/cpuguy83/go-md2man/v2, github.com/creack/pty, github.com/gabriel-vasile/mimetype, github.com/google/go-cmp, github.com/google/shlex, github.com/gorilla/websocket, github.com/hashicorp/go-version, github.com/henvic/httpretty, github.com/itchyny/gojq, github.com/kballard/go-shellquote, github.com/mattn/go-colorable, github.com/mattn/go-isatty, github.com/mgutz/ansi, github.com/muesli/reflow, github.com/muesli/termenv, github.com/muhammadmuzzammil1998/jsonc, github.com/opentracing/opentracing-go, github.com/shurcooL/githubv4, github.com/skratchdot/open-golang, github.com/sourcegraph/jsonrpc2, github.com/spf13/cobra, github.com/spf13/pflag, github.com/stretchr/testify, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, gopkg.in/yaml.v3 === github.com/AlecAivazis/survey/v2 (2.3.2) => checking for updates 1/34 => latest available version is 2.3.2 => latest allowed version is 2.3.2 (no update needed as it's already up-to-date) === github.com/MakeNowJust/heredoc (1.0.0) => checking for updates 2/34 => latest available version is 1.0.0 => latest allowed version is 1.0.0 (no update needed as it's already up-to-date) ``` # Dependabot - Debugging Private Registries Debugging issues related to private registries is difficult. We're working on it. [github/dependabot-updates/pull/1956](https://github.com/github/dependabot-updates/pull/1956) # Dependabot - Gimme some mo' * [Rewatch: Life of Dependabot Job](https://github.rewatch.com/video/nnat4r6492aj3bvf-life-of-a-dependabot-job) * [0001-firecracker ADR](https://github.com/github/dependabot-updates/blob/main/docs/adrs/0001-firecracker.md) * [Kickoff Doc: Dependabot Runtime on GHES](https://github.com/github/dependabot-updates/blob/main/docs/kickoff/2021-06-24-ghes-runtime.md)