Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Joker 2019: Tame your dependencies with Dependabot!

Oleg Nenashev
October 25, 2019
Technology
0
93

Joker 2019: Tame your dependencies with Dependabot!

What is common between Maven, NPM or RPM? It is dependency hell. Continuously updating dependencies is a significant overhead. If you do not do that, any next major update might be a problem for you. It is exactly what we hit while adding Java 11 support to Jenkins. What if we delegate such routine work to a bot? In our project we chose Dependabot, and in this talk I would like to do a brief introduction to the tool.

Oleg Nenashev

October 25, 2019
Tweet

More Decks by Oleg Nenashev

See All by Oleg Nenashev
Contributing to Jenkins and Google Summer of Code
onenashev
0
73
«Обновлять нельзя оставить». Управляем зависимостями в CI/CD (RUS)
onenashev
0
130
DW|JW 2019 - Docker and Jenkins [as code]
onenashev
6
260
Jenkins Developer Meetup: Changes in Jenkins plugin documentation and changelogs
onenashev
0
74
DevOops 2019 - Under the hood of serverless Jenkins. Jenkinsfile Runner
onenashev
2
4k
Automate your changelogs! Release Drafter
onenashev
1
340
War Story: Как мы внедряли поддержку Java 11 в Jenkins (RUS)
onenashev
0
140
What's new in LibreCores CI? ORCONF 2019
onenashev
0
230
Old Jenkins, New Jenkins (ENG)
onenashev
2
160

Other Decks in Technology

See All in Technology
個人データの利用に対する許容度に関する社会調査
hiroshinakagawa
0
140
Google I:O 2023 Androidの自動テストアップデートまとめ / Google I:O 2023 Android Testing Update Recap
tkmnzm
0
180
ユーザーストーリーマッピング
kawaguti
PRO
4
830
組織一丸となってカスタマーサクセスを実現するための取り組みと悩み
zakiyama
0
110
ブロックテーマでどう変わる?新しいWordPressのWebサイト制作
tbshiki
0
140
IoTの振り返りと、IoTが産み出すデータ形式のおさらい【IoT-Tech Meetup】
soracom
PRO
0
660
cgroup の歩き方 / TechFeed Experts Night #19
tenforward
0
230
ChatGPTがもたらす新しいチーム開発の現場
satoshirobatofujimoto
0
170
Microsoft Build 2023 で発表された Cosmos DB の注目アップデート / Microsoft Build 2023 Cosmos DB update
miyake
1
110
「エンジニアリングで運用を改善する」ためのAmazon CloudWatch活用
mitsuaki96
1
690
無理なく始めるGoでのユニットテストの並行化戦略
shohata
1
120
Vault Secrets Operator と Dynamic Secrets で安全にシークレットを使おう / Vault Secrets Operator and Dynamic Secrets
nnstt1
2
300

Featured

See All Featured
Web development in the modern age
philhawksworth
197
9.7k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
Clear Off the Table
cherdarchuk
81
300k
KATA
mclloyd
13
10k
We Have a Design System, Now What?
morganepeng
38
6.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.4k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
4 Signs Your Business is Dying
shpigford
171
20k
How to Ace a Technical Interview
jacobian
271
22k
What the flash - Photography Introduction
edds
64
10k
Code Review Best Practice
trishagee
52
12k
A Modern Web Designer's Workflow
chriscoyier
689
190k

Transcript

  1. © 2019 CloudBees, Inc. All Rights Reserved.
    Tame your dependencies!
    Dependabot
    Oleg Nenashev (@oleg_nenashev)
    CloudBees, Inc.
    St. Petersburg, Oct 25, 2019

    View Slide

  2. © 2019 CloudBees, Inc. All Rights Reserved.
    > whoami
    @oleg_nenashev
    oleg-nenashev
    • Based in Neuchatel, Switzerland
    • Principal SW Engineer, CloudBees
    • Jenkins core maintainer
    2

    View Slide

  3. © 2019 CloudBees, Inc. All Rights Reserved.
    3
    https://jokerconf.com/en/2019/talks/rjhhmugp5tzqbmlmg3mcm/

    View Slide

  4. © 2019 CloudBees, Inc. All Rights Reserved.
    What’s common between Maven,
    NPM, и RPM?
    4

    View Slide

  5. © 2019 CloudBees, Inc. All Rights Reserved.
    Dependency
    Hell
    5

    View Slide

  6. © 2019 CloudBees, Inc. All Rights Reserved.
    Lib 1 Lib 2 Lib 3
    Plugin 1 Plugin 2 Plugin 3
    Lib 4
    Lib 5
    Plugin 4
    6
    + Tool dependencies

    View Slide

  7. © 2019 CloudBees, Inc. All Rights Reserved.
    7
    > mvn versions:display-updates
    ...
    ? ? ?

    View Slide

  8. © 2019 CloudBees, Inc. All Rights Reserved.
    What if we automate updates?
    8

    View Slide

  9. 9
    Dependabot, Renovate, Greenkeeper, etc.

    View Slide

  10. © 2019 CloudBees, Inc. All Rights Reserved.
    Dependabot
    10
    dependabot.com, acquired by GitHub

    View Slide

  11. © 2019 CloudBees, Inc. All Rights Reserved.
    Dependabot
    ● CLI tool
    ● SaaS and GitHub App
    11
    dependabot.com, acquired by GitHub

    View Slide

  12. © 2019 CloudBees, Inc. All Rights Reserved.
    Automatic scans and updates
    12

    View Slide

  13. 13

    View Slide

  14. 14

    View Slide

  15. © 2019 CloudBees, Inc. All Rights Reserved.
    Step 1. Enable Dependabot
    15

    View Slide

  16. © 2019 CloudBees, Inc. All Rights Reserved.
    Step 2. Setup permissions
    16

    View Slide

  17. © 2019 CloudBees, Inc. All Rights Reserved.
    Step 3. Configure Dependabot
    17

    View Slide

  18. © 2019 CloudBees, Inc. All Rights Reserved.
    Step 4. Just wait a bit…
    18

    View Slide

  19. © 2019 CloudBees, Inc. All Rights Reserved.
    Not just pull requests!
    19

    View Slide

  20. © 2019 CloudBees, Inc. All Rights Reserved.
    Release notes
    20

    View Slide

  21. © 2019 CloudBees, Inc. All Rights Reserved.
    CommentOps
    21

    View Slide

  22. © 2019 CloudBees, Inc. All Rights Reserved.
    Configuration-as-Code
    22

    View Slide

  23. © 2019 CloudBees, Inc. All Rights Reserved.
    Advanced options
    ● Filtering of versions
    and artifacts
    ● Validated merge
    ● Integration wit GitHub
    security engines
    23

    View Slide

  24. © 2019 CloudBees, Inc. All Rights Reserved.
    Dependabot in Jenkins
    • Evaluation started in June 2019
    • Enabled in 60+ repositories
    • 1750+ pull requests
    • Saves time!
    24

    View Slide

  25. © 2019 CloudBees, Inc. All Rights Reserved.
    Contacts:
    E-mail: [email protected]
    GitHub: oleg-nenashev
    Twitter: @oleg_nenashev
    QUESTIONS?
    25

    View Slide