Jimmy B. - Self-Hosting Dependabot via Docker

jimmy · March 22, 2022, 3:28pm

Dependabot is a really neat tool that helps keep your dependencies secure and up to date. It creates pull requests to your Git repositories with the updated dependencies. It works with a wide variety of package managers and languages like NPM/Yarn, Composer, Python, Ruby, Docker, Rust, and Go.

As someone who uses GitHub Enteprise, a little bit of extra work needs to be done in order to self-host Dependabot. After fiddling around with it for a few days, I've finally gotten it working, so I figured it would be worth writing up and sharing with everyone!

My setup consists of a server dedicated to running Docker containers, however any AMD64 system where Docker can run should do the trick. First I cloned the dependabot-script Git repository (I ran this in my /home/jimmy/Developer/github.com/dependabot directory - but you can put it wheverver you'd like):

git clone https://github.com/dependabot/dependabot-script.git

Next, I pulled the dependabot-core Docker image:

docker pull dependabot/dependabot-core

Once the Docker image has been pulled we need to run it to install some dependencies:

docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor

Make sure you're in the cloned dependabot-script directory (/home/jimmy/Developer/github.com/dependabot/dependabot-script directory for me) when you run that. It shouldn't take very long to run.

Next we need to make a little change to fix an issue which seems to prevent Dependabot from running properly. So let's run this:

docker run -d -v "$(pwd):/home/dependabot/dependabot-script" \
    -w /home/dependabot/dependabot-script \
    dependabot/dependabot-core sleep 300

This will start up Dependabot as a detached container and it'll sleep for 300 seconds before exiting. This should give us enough time to run a couple commands. Once the above command has been run, use the following command to enter into the container:

docker ps |grep dependabot-core # get the id of the container
docker exec -it $containerId bash

You should now be inside your Dependabot container. I was able to find this issue on GitHub which allowed me to fix and run Dependabot without issue. We need to edit the Gemfile - which can be done while inside the container or outside, it's up to you. I initially did it from inside the container, but either works. Since nano wasn't available I had to install that first, I didn't check to see if vi or vim were but if they aren't you can use a similar approach. From within the container I ran:

apt -y update && apt -y install nano
nano Gemfile

I then edited:

gem "dependabot-omnibus", "~> 0.118.8"

to

gem "dependabot-omnibus", "~> 0.130.2"

Save and exit. Then run:

bundle _1.17.3_ install
bundle _1.17.3_ update

Once that was done, I exited the container and attempted to run Dependabot normally.

docker run --rm -v "$(pwd):/home/dependabot/dependabot-script" \
    -w /home/dependabot/dependabot-script \
    -e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN \
    -e GITHUB_ENTERPRISE_HOSTNAME=$GHE_HOSTNAME \
    -e GITHUB_ENTERPRISE_ACCESS_TOKEN=$GITHUB_ENTERPRISE_ACCESS_TOKEN \
    -e PROJECT_PATH=jimmybrancaccio/emil-scripts \
    -e PACKAGE_MANAGER=composer \
    dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb

I recommend going to GitHub.com and setting up a personal access token (I only checked off the repo checkbox - but even that might not be needed). This allows you to make more requests to the GitHub.com API. Without this I ran into API rate-limiting quickly. If you do create a personal access token for GitHub.com replace $GITHUB_ACCESS_TOKEN with your token, otherwise just remove that whole line. Next you'll want to replace $GHE_HOSTNAME with your actual GitHub Enterprise hostname. You can either replace $GITHUB_ENTERPRISE_ACCESS_TOKEN with a personal access token from your GitHub Enterprise of your own account, or what I did was I created a separate account for Dependabot and generated a personal access token for that account. After that you just need to make sure PROJECT_PATH and PACKAGE_MANAGER have proper values.

I wrote a very simple Bash script with essentially a bunch of those Docker run "blocks". Once for each repository that I wanted Dependabot to monitor. I setup a cronjob for the script to run once a day as well. You can set that part of it up as you see fit though.

Resources

This is a companion discussion topic for the original entry at https://jimmyb.ninja/post/1612803910

codegeek · June 4, 2021, 1:26pm

Thats some awesome piece of work.That's exactly what i was looking for.
I am trying to run with Enterprise Github, any changes required specific to PRROJECT_PATH to make it work?
Can you describe what emil-script here means?
Could you please help me understand the last step , i am getting error while trying to run update script:

/home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.20.0/lib/octokit/repository.rb:92:in `raise_invalid_repository!': "codegeek/gitRepo" is invalid as a repository identifier. Use the user/repo (String) format, or the repository ID (Integer), or a hash containing :repo and :user keys. (Octokit::InvalidRepository)
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.20.0/lib/octokit/repository.rb:34:in `initialize'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.20.0/lib/octokit/repository.rb:58:in `new'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.20.0/lib/octokit/repository.rb:58:in `path'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.20.0/lib/octokit/client/refs.rb:35:in `ref'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/clients/github_with_retries.rb:95:in `public_send'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/clients/github_with_retries.rb:95:in `block in method_missing'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/clients/github_with_retries.rb:115:in `retry_connection_failures'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/clients/github_with_retries.rb:92:in `method_missing'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/clients/github_with_retries.rb:58:in `fetch_commit'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/file_fetchers/base.rb:72:in `commit'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/file_fetchers/base.rb:359:in `_full_specification_for'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/file_fetchers/base.rb:369:in `_fetch_file_content'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/file_fetchers/base.rb:139:in `fetch_file_from_host'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-maven-0.142.0/lib/dependabot/maven/file_fetcher.rb:32:in `pom'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-maven-0.142.0/lib/dependabot/maven/file_fetcher.rb:25:in `fetch_files'
	from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.142.0/lib/dependabot/file_fetchers/base.rb:64:in `files'

jimmy · June 4, 2021, 4:07pm

Hi @codegeek,

This was simply an example using one of my repositories. Your PROJECT_PATH should be the path to your repository, something like $YOUR-USERNAME/$REPO-NAME.

As noted in the error message you're getting:

Use the user/repo (String) format

so it sounds like you've provided an invalid user/repo string.