In this post, learn about this tool that automates updates, ensuring your projects stay current and secure without the hassle of manual tracking.
Keeping your project dependencies has several advantages:
- Security updates.
- Improve performance.
- Access the latest features.
- Updates fix bugs and enhance stability.
Running this process manually can be daunting, and repetitive. That’s why Github offers a bot (Dependabot) to update your dependencies automatically. It opens a PR for every outdated dependency. The PR includes the release notes, the changelog, and relevant commits of the dependency. Here’s an example of a PR done in one of my open-source projects:
It includes relevant links where you can see the updated dependency information too.
Table of contents
Open Table of contents
Configuring Dependabot for Elixir projects (Mix)
Create a file under .github/dependabot.yml
with the following content:
version: 2
updates:
- package-ecosystem: "mix"
directory: "/"
schedule:
interval: "daily"
That’s it! Pretty easy, right? If you want to configure private hex repositories, like Oban Pro, continue reading.
Configuring dependency updates for private repositories (Oban Pro)
We need to use the registries and insecure-external-code-execution configuration options.
You also need to add Oban’s license key and key fingerprint secrets for Dependabot. Here is the guide to adding secrets to Dependabot.
More information about this registry configuration here.
version: 2
registries:
oban-private-repo:
type: hex-repository
repo: oban
url: https://getoban.pro/repo
auth-key: ${{ secrets.OBAN_LICENSE_KEY }}
public-key-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
updates:
- package-ecosystem: "mix"
directory: "/"
insecure-external-code-execution: "allow"
registries:
- oban-private-repo
schedule:
interval: "daily"
Configuring dependency updates for private packages and organizations
We define hex-organization registry
and use the registry in our mix
update configuration.
version: 2
registries:
my-hex-org:
type: hex-organization
organization: myorganization
key: ${{ secrets.HEX_ORGANIZATION_API_KEY }}
updates:
- package-ecosystem: "mix"
directory: "/"
insecure-external-code-execution: "allow"
registries:
- my-hex-org
schedule:
interval: "daily"
Configuring Dependabot for GitHub actions version updates
If you make use of GitHub’s workflows, here is a handy Dependabot configuration to update the Github actions you use.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
Here is an example of Dependabot updating an aws-action
(ECR Login):
I’d like to hear about your experiences with dependency management or any tips you have to share! Feel free to drop your thoughts and insights in the comments below.
Happy coding!