Joker 2019: Tame your dependencies with Dependabot!

Joker 2019: Tame your dependencies with Dependabot!

What is common between Maven, NPM or RPM? It is dependency hell. Continuously updating dependencies is a significant overhead. If you do not do that, any next major update might be a problem for you. It is exactly what we hit while adding Java 11 support to Jenkins. What if we delegate such routine work to a bot? In our project we chose Dependabot, and in this talk I would like to do a brief introduction to the tool.

568e3391c8b528f2b255443e4cca27ca?s=128

Oleg Nenashev

October 25, 2019
Tweet

Transcript

  1. © 2019 CloudBees, Inc. All Rights Reserved. Tame your dependencies!

    Dependabot Oleg Nenashev (@oleg_nenashev) CloudBees, Inc. St. Petersburg, Oct 25, 2019
  2. © 2019 CloudBees, Inc. All Rights Reserved. > whoami @oleg_nenashev

    oleg-nenashev • Based in Neuchatel, Switzerland • Principal SW Engineer, CloudBees • Jenkins core maintainer 2
  3. © 2019 CloudBees, Inc. All Rights Reserved. 3 https://jokerconf.com/en/2019/talks/rjhhmugp5tzqbmlmg3mcm/

  4. © 2019 CloudBees, Inc. All Rights Reserved. What’s common between

    Maven, NPM, и RPM? 4
  5. © 2019 CloudBees, Inc. All Rights Reserved. Dependency Hell 5

  6. © 2019 CloudBees, Inc. All Rights Reserved. Lib 1 Lib

    2 Lib 3 Plugin 1 Plugin 2 Plugin 3 Lib 4 Lib 5 Plugin 4 6 + Tool dependencies
  7. © 2019 CloudBees, Inc. All Rights Reserved. 7 > mvn

    versions:display-updates ... ? ? ?
  8. © 2019 CloudBees, Inc. All Rights Reserved. What if we

    automate updates? 8
  9. 9 Dependabot, Renovate, Greenkeeper, etc.

  10. © 2019 CloudBees, Inc. All Rights Reserved. Dependabot 10 dependabot.com,

    acquired by GitHub
  11. © 2019 CloudBees, Inc. All Rights Reserved. Dependabot • CLI

    tool • SaaS and GitHub App 11 dependabot.com, acquired by GitHub
  12. © 2019 CloudBees, Inc. All Rights Reserved. Automatic scans and

    updates 12
  13. 13

  14. 14

  15. © 2019 CloudBees, Inc. All Rights Reserved. Step 1. Enable

    Dependabot 15
  16. © 2019 CloudBees, Inc. All Rights Reserved. Step 2. Setup

    permissions 16
  17. © 2019 CloudBees, Inc. All Rights Reserved. Step 3. Configure

    Dependabot 17
  18. © 2019 CloudBees, Inc. All Rights Reserved. Step 4. Just

    wait a bit… 18
  19. © 2019 CloudBees, Inc. All Rights Reserved. Not just pull

    requests! 19
  20. © 2019 CloudBees, Inc. All Rights Reserved. Release notes 20

  21. © 2019 CloudBees, Inc. All Rights Reserved. CommentOps 21

  22. © 2019 CloudBees, Inc. All Rights Reserved. Configuration-as-Code 22

  23. © 2019 CloudBees, Inc. All Rights Reserved. Advanced options •

    Filtering of versions and artifacts • Validated merge • Integration wit GitHub security engines 23
  24. © 2019 CloudBees, Inc. All Rights Reserved. Dependabot in Jenkins

    • Evaluation started in June 2019 • Enabled in 60+ repositories • 1750+ pull requests • Saves time! 24
  25. © 2019 CloudBees, Inc. All Rights Reserved. Contacts: E-mail: onenashev@cloudbees.com

    GitHub: oleg-nenashev Twitter: @oleg_nenashev QUESTIONS? 25