Dependabot used to be a separate service that scanned your github repository for outdated dependencies in 3rd party packages and libraries.
This service was acquired by Github and is now integrated into the platform.
It is a free service, and a great way to keep your projects dependencies up to date.
Dependabot will automatically create a pull request to your project to bump any outdated dependencies to the latest version.
As an example project I am using a simple “Hello World” style PHP script that runs in the standard PHP Docker image. And Dependabot will bring the outdated PHP version up to date with.
To verify that the application is compatible with the updated version of PHP a Github actions workflow will run the code with the
So here is what you will learn:
- Create a
hello.phpas the application
- Create a Github Actions workflow to run the above code in Docker
- Enable Dependabot for Docker
This is the simplest
Dockerfile for running a PHP script. The current stable version of PHP is
8.0.7 but I am using a slightly outdated version number. I want to see Dependabot taking action on this outdated version.
Note: Rather than using a specific version I could use the Docker tag
latest to always have the latest version. But this is considered a bad practice.
Before upgrading to the latest version of a dependency, you must run your applications tests.
Without a specific version in the
Dockerfile you cannot run an automated test suite before the upgrade.
This Hello World will not actually print the string “Hello World”, but instead the current PHP version number. Therefore the logs of the actions workflow show if the PHP version has been updated correctly and that the correct
Dockerfile was used.
<? echo phpversion(); ?>
This is a very basic actions workflow that runs on the main branch and also on any pull requests that are made for the main branch.
Github recently updated the default branch name from master to using main. So if you have an older repository, you must change this example to work with the old convention.
name: PHP CI on: push: branches: [ main ] pull_request: branches: [ main ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Build docker images run: docker build -t local - < Dockerfile - name: Run tests run: docker run -t -v $PWD:/srv -w/srv local php hello.php
This builds the
Dockerfile and runs the code in
hello.php inside that image.
To enable Dependabot you must go to “Insights” on your repository main page.
The setting for Dependabot is hidden under “Dependency Graph”:
You can use the default configuration file that is suggested by Github. Just add “docker” to “package-ecosystem”, Dependabot will find your
For me the
dependabot.yml looks like this:
version: 2 updates: - package-ecosystem: "docker" directory: "/" schedule: interval: "daily"
Now Dependabot is set up and ready to go. It will check your
Dockerfile daily, and creates a pull request to upgrade to the latest stable release of PHP.
And the pull request is verified by the Github actions workflow that I created above.
For me the diff from the commit by the Dependabot looks like this:
Keeping your dependencies up to date is a best practice for software engineering.
If you like this article: I am writing a book about best practices for legacy code projects: