How to maintain your repository dependencies/packages up to date in GitHub?

In a project, we are using n number of repositories and we are using various packages in each repositories. Is it possible to keep an eye on all repositories for the outdated dependencies? Manually it would be a tedious task. If so, the next question that arises is how can we get it updated to the latest versions automatically?

The solution to this problem is provided by Dependabot. Dependabot could be used to keep the packages that are used in a repository to the latest versions.

How does it works?

Dependabot will scan the packages that you are using in a repository and then it will raise a pull request for each outdated dependencies.

How to enable dependabot?

Step 1:

Navigate to settings tab in github repository, click security and analysis and then enable dependabot alerts, dependabot security updates.

Step 2:

The configuration file named dependabot.yml for setting up the dependabot should be inside .gitHub folder of your repository.

The configuration file should convey dependabot about the following properties:

1. package-ecosystem: kind of dependencies that you want to update (like pip)
2. directory: where the dependency manifest is located
3. schedule: how often you want Dependabot to look for updates

Dependabot will check for the outdated dependencies on the scheduled time and if any outdated dependencies are found, then it will raise pull request for each outdated dependencies.

How to merge the pull request raised by dependabot?

There could be multiple ways to merge the pull request, but here is an example of merging a pull request by creating a workflow in GitHub.

The workflow file should also be placed inside the .github folder of your repository.

Workflows triggered by Dependabot PRs will run with read-only permissions.If your workflow needs to access to secrets, you can use the pull_request_target event.

GitHub lets you prevent merges of unapproved pull requests. So, pre approval before merging the PR is recommended practice. But, to automatically approve GitHub pull requests, the ACCESS_TOKEN secret must be provided as the input for the action to work.

How to create the access token?

1. In the upper-right corner of any page, click your profile photo, then click Settings.

2. In the left sidebar, click Developer settings.

3. In the left sidebar, click Personal access tokens and generate new token.

4. Give your token a descriptive name and also select the scopes, or permissions, you’d like to grant this token. To use your token to access repositories from the command line, select repo. Then, click Generate token.

How to setup the generated token as secret in GitHub?

1. Navigate to settings tab, click secrets and then click new repository secret.

The workflow.yml file could be modified according to your needs.

Thanks for reading:)