Automatically update your Elixir dependencies

Discover the power of effortless Elixir dependency management. In this post, learn about this tool that automates updates, ensuring your projects stay current and secure without the hassle of manual tracking. Streamline your workflow and keep your Elixir applications at their best.

Keeping your project dependencies has several advantages:

Security updates.
Improve performance.
Access the latest features.
Updates fix bugs and enhance stability.

Running this process manually can be daunting, and repetitive. That’s why Github offers a bot (Dependabot) to update your dependencies automatically. It opens a PR for every outdated dependency. The PR includes the release notes, the changelog, and relevant commits of the dependency. Here’s an example of a PR done in one of my open-source projects:

Dependabot PR updating Dialyzer dependency

It includes relevant links where you can see the updated dependency information too.

Open Table of contents

Configuring Dependabot for Elixir projects (Mix)
Configuring dependency updates for private repositories (Oban Pro)
Configuring dependency updates for private packages and organizations
Configuring Dependabot for GitHub actions version updates

Configuring Dependabot for Elixir projects (Mix)

Create a file under .github/dependabot.yml with the following content:

version: 2

updates:
  - package-ecosystem: "mix"
    directory: "/"
    schedule:
      interval: "daily"

That’s it! Pretty easy, right? If you want to configure private hex repositories, like Oban Pro, continue reading.

Configuring dependency updates for private repositories (Oban Pro)

We need to use the registries and insecure-external-code-execution configuration options.

You also need to add Oban’s license key and key fingerprint secrets for Dependabot. Here is the guide to adding secrets to Dependabot.

More information about this registry configuration here.

version: 2

registries:
  oban-private-repo:
    type: hex-repository
    repo: oban
    url: https://getoban.pro/repo
    auth-key: ${{ secrets.OBAN_LICENSE_KEY }}
    public-key-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}

updates:
  - package-ecosystem: "mix"
    directory: "/"
    insecure-external-code-execution: "allow"
    registries:
      - oban-private-repo
    schedule:
      interval: "daily"

Configuring dependency updates for private packages and organizations

We define hex-organization registry and use the registry in our mix update configuration.

version: 2

registries:
  my-hex-org:
    type: hex-organization
    organization: myorganization
    key: ${{ secrets.HEX_ORGANIZATION_API_KEY }}

updates:
  - package-ecosystem: "mix"
    directory: "/"
    insecure-external-code-execution: "allow"
    registries:
      - my-hex-org
    schedule:
      interval: "daily"

Configuring Dependabot for GitHub actions version updates

If you make use of GitHub’s workflows, here is a handy Dependabot configuration to update the Github actions you use.

version: 2

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"

Here is an example of Dependabot updating an aws-action (ECR Login):

Dependabot PR updating GH Action

I’d like to hear about your experiences with dependency management or any tips you have to share! Feel free to drop your thoughts and insights in the comments below.

Happy coding!