Dependabot-core: Missing installation process docs for GitHub Enterprise

Created on 5 Nov 2019 · 13Comments · Source: dependabot/dependabot-core

I walked through the various repos (dependabot-script, dependabot-core) for Dependabot, but haven't found any suitable documentation that covers the following stuff:

How to run Dependabot with self-hosted GitHub, so that I could use it in the same way like I do regularly on GitHub with UI (e.g. settings up language, tracked repository)? Do developers have any Docker containers of Dependabot with UI (and a database, I guess) for those workflows? If doesn't, then it possible to build this container manually somehow?
An example of setting GitHub Actions for public/private/self-hosted GitHub repositories, so it will trigger the Dependabot generic script for an update periodically as the cron job.
How to setup Dependabot for multiple repositories that could be stored in the separate organizations? Should I use the public API but relatively organization domains for setting up a cron task for the new repository for regular updates?

Could someone clarify to me these aspects and how to integrate Dependabot for GitHub Enterprise properly?

enterprise

Source

Relrin

👍30 👀6 ❤2

Most helpful comment

recent activity

bgrainger on 16 Feb 2020

👍9

All 13 comments

Much required feature from us.

dasbiswajit on 6 Dec 2019

👍4

I would love to see this as well

the-kid89 on 16 Dec 2019

👍2

GitHub Should take this seriously as well.

dasbiswajit on 17 Dec 2019

As far as I can tell, the following features of dependabot.com have not been released as part of dependabot-core:

Config file parsing/support
Scheduled checks
dependabot interaction (e.g., replying @dependabot rebase in a PR comment)
web UI for authorising with GitHub (Enterprise), selecting repos, etc.

Consequently (again, as far as I can tell), you have to build those parts of the infrastructure yourself if you want to integrate Dependabot with GitHub Enterprise. However, it is possible!

You will need GitHub Enterprise, credentials for a user account that will open the PRs, some kind of job runner with access to your GHE instance (I used Jenkins), and a job executor that can run Docker commands (again, I used Jenkins).

I blogged how I set this up here: https://faithlife.codes/blog/2019/12/integrating-dependabot-with-github-enterprise/

Some package managers are built into the dependabot-script image (e.g., cargo, NuGet, Ruby Gems); others require native helpers to be installed (e.g., Go, PHP, npm). If you're in the latter situation, you'll have to do some additional work beyond what I blogged.

Once GitHub Actions is released for GitHub Enterprise, this will hopefully be a bit easier (it could all be self-contained, and not need Jenkins).

bgrainger on 17 Dec 2019

👍5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] on 15 Feb 2020

recent activity

bgrainger on 16 Feb 2020

👍9

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] on 16 Apr 2020

recent activity

Keysox on 16 Apr 2020

👍7

Still no news about configure Dependabot for GitHub Enterprise?

Rads92 on 30 Apr 2020

Is there any updates on this?

Xorima on 5 May 2020

saw this from Monday https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

Only mention of enterprise was in last paragraph.

Keeping dependencies updated is a crucial part of securing your software supply chain, whether you’re working on an open source project _or a large enterprise_. To make that easy, we’re sticking to our promise to make all Dependabot features free for every repository on GitHub.

and no mention in the docs https://help.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically