I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly"
I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1
version: 1
update_configs:
- package_manager: "dotnet:nuget"
directory: "/"
update_schedule: "monthly"
allowed_updates:
- match:
update_type: "security"
Let me know if you had the same issue and how you resolved it.
Thanks
According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:
open-pull-requests-limit: 0
This means it will only create security updates.
Yeah, I was having the same problem, then I found out something like this github community thread.
I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:
You’re using unsupported features
This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.
It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.
Let me know if that helps.
Related
I am trying to configure dependabot.yml to get security updates for GitHub Actions.
I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:
I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv#v1 action, which has a GHSA.
I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.
Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.
Can you help me understand why is my configuration not working? Or if it's not supported?
All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.
It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos
For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.
Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.
We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds).
There is no clear hint in the docs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) to do this.
We already tried to exclude dependabot branches, but that does not work in any form.
# Azure DevOps Excludes
pr:
autoCancel: "true"
branches:
exclude:
- dependabot/*
- dependabot/**/*
We also found the hint on Stack Overflow to set the limit to 0, but still PRs are created
version: 2
updates:
- directory: "/"
open-pull-requests-limit: 0
Any possibility to use Dependabot just as information source?
Go to Security -> Dependabot -> Configure -> Manage Repository Vulnerability Settings. (This should take you to a URL like https://github.com/yourusername/yourreponame/settings/security_analysis.)
Leave the "Dependabot alerts" setting enabled but ensure the "Dependabot version updates" setting is disabled.
If you've previously enabled "Dependabot version updates", you'll have a .github/dependabot.yml file in your repo, whose purpose is to configure Dependabot's automatic updates. To disable them, delete dependabot.yml.
In pictures:
You will now still be able to view security alerts about your dependencies on GitHub, but Dependabot will not open PRs for them.
By default, Dependabot will automatically reset pull requests to resolve any conflicts. If you prefer to handle merge conflicts manually, you can disable this feature with the rebase-strategy option.
For rebase strategies, using disabled to disable automatic rebasing.
Setting this option will also affect pull requests for security updates to this package manager's manifest file, unless you use target-branch to check for version updates on non-default branches.
For rebase-strategy example,
version: 2
updates:
- directory: "/"
schedule:
interval: "daily"
# Disable Dependabot pull requests
rebase-strategy: "disabled"
Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?
https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every weekday
interval: "daily"
You can also see the necessary configurations in the table of the GitHub documentation.
Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.
HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.
It'll also give you more control.
This seems to be one of the more important, but less understood and documented features of GH and Jenkins, which seems to defeat the purpose of CI entirely ...
I'm trying to setup a simple, "kick off a build when a pull request is opened" Job in Jenkins. I've scanned though dozens of posts, some several years old, but have yet to find a solution that actually works, start-to-finish. I'm using GH 2.15.4 and Jenkins 2.89.3 with the GH Pull Request Builder plug-in. I've tried setting up a pipeline job, and a freestyle project, following various "how to" posts and docs. Nothing works as expected. Not even close. I've managed to get some functionality working, but not without a lot of trial-and-error experimenting, which doesn't leave me with a warm-fuzzy in using it. Webhooks are equally worthless in accomplishing what is needed, as nothing seems to fire off a job in Jenkins, regardless of how it is configured.
For starters, are there any references or docs that explain what the following status checks are that are automatically created by Jenkins:
continuous-integration/jenkins/branch
continuous-integration/jenkins/pr-head
continuous-integration/jenkins/pr-merge
Apparently there is no way to delete or edit these ... they just "appear" courtesy of Jenkins. I've seen some discussions, but some explanations contradict one another, so they may just be outdated, inaccurate, etc. I want to know "what does what" so I know which should be 'required' as part of the PR status check.
Any pointers would be appreciated!
I agree, this problem is tricky because Jenkins and its plugins have changed so much throughout the years. Let me tell you how I accomplished what you're asking for. I will post all of my version numbers (mostly up to date).
Jenkins Version: 2.176.1 (java -jar /usr/share/jenkins/jenkins.war --version)
Plugins
github 1.29.4
github-api 1.9
github-branch-source 2.5.3
github-pullrequest 0.2.5
pipeline-github-lib 1.0
Also, I use the Blue Ocean interface, which might affect things (who knows)
blueocean 1.17.0
blueocean-git-pipeline 1.17.0
blueocean-github-pipeline 1.17.0
Github Webhooks
First off, set up webhooks for your system. This is a good guide for Github Webhooks
Go to your Github repository and click on the Settings tab. Then select 'Webhooks' in the left menu:
The URL of my Jenkins setup is https://jenkinsci.dorian.com. So, in the 'Payload URL' box, I put https://jenkinsci.dorian.com/github-webhook/
I left the settings as "application/json" and "send me everything" and "active"
The Webhooks area has a handy 'Recent Deliveries' section which can show you if your webhooks are making it to Jenkins. At first, I had the wrong URL so mine has red Xs next to them. Now, they're all green checkmarks.
Github Access Token
Many guides suggest that you provide Jenkins with a personal access token to communicate with your repo. To do that, go to your account avatar in the top right and select Settings -> Developer Settings -> Personal access tokens->Generate Token
Put whatever you want for the description. Under 'select scopes', if you just want it to work, select every checkbox in the list.
I selected:
repo:status
write:repo_hook
read:repo_hook
admin:org_hook
Click save and you'll be shown your secret key. Copy this somewhere safe (we'll use it soon).
Configuring Jenkins
Now for the hard part. Try and install all of the plugins I've listed above.
Go to Jenkins-Manage Jenkins->Configure System
Locate the Github section and click Add Github Server
Name: Github
Api URL: https://api.github.com
Manage Hooks: true
Under credentials, click "Add." You'll be brought to a menu. Select "Secret Text"
Scope: Global
Secret: paste your access token from earlier
ID: (I left this blank)
Description: DorianGithubCreds
Hit save. Then, select DorianGithubCreds from the credentials list.
To test, hit "Test Connection." Mine returns 'Credentials verified for user dnrahamim', rate limit: 4998
Now go down to Github Pull Request Builder
GitHub Server API URL: https://api.github.com
Jenkins URL override: (blank)
Shared Secret: (blank)
Credentials: DorianGithubCreds
Auto-manage webhooks: true
Everything else is blank
Configure Job
Go to the job that should be building your repo
Select 'Configure' in the left menu
Under Projects->Github Organization
Credentials: DorianGithubCreds
Owner: Dorian
Behaviors:
Discover branches
Strategy: Exclude branches that are also filed as PRs
Discover pull requests from origin
Strategy: Merging the pull request with the current target branch revision
Discover pull requests from forks
Strategy: Merging the pull request with the current target branch revision
Trust: From users with Admin or Write permission
Project Recognizers
Pipeline Jenkinsfile
Path: Jenkinsfile (my Jenkinsfile is in the project root)
Build Strategies: (intentionally blank)
Notifications
Now, when I do a pull request, or whenever I post a change to a pull request, Jenkins run a fresh build for that branch.
The Pull Request itself in Github also lists its "Status Checks" at the bottom. When the build is pending, the status check is yellow. If it succeeds it gets a green checkmark. If it fails, it gets a red X.
I initially had a problem because I had an old Jenkins box which was also configured to manage Github webhooks and build pull requests. Its builds were failing so its notifications were the ones getting through to my pull request. I fixed that problem by preventing that old Jenkins box from building my newest branches. Once the old Jenkins box stopped building, the notifications from the new Jenkins box made it through to Github.
Wrapping up
That's it! That's everything I intentionally configured. Please try out my configuration and see if it works for you. Let me know if I left anything out.
The hard part with configuring Jenkins with Github is that, although there are many guides, the suggestions often conflict with each other and very many are out of date (sometimes even official documentation is out of date).
Nonetheless, here are some Resources:
This is a good guide for Github Webhooks
Github's Whitepaper on CI with Jenkins (It doesn't explain much in detail but it gives a good overview)
Github pull request builder plugin
Semi-official SO post for showing build status on Github repo
GitHub has "add webhook" feature which is accessible in the repository settings --> Webhooks section. This has 4 inputs
1. Payload URl - Enter the Jenkins url
2. Content Type - application/json
3. Secret - this is optional if you want to configure secret
4. Which events would you like to trigger this webhook? - select the option "Let me select individual events"
Bunch of checkbox options are visible, check "Pull requests" option. This option will send a request to Jenkins when Pull request is opened
Next step is create a job in Jenkins which will listen to GitHub events and kick off the build
My TeamCity CI has the plugin GitHub Commit Hooks provided by Jetbrains to detect new pull requests and trigger a run. I've installed this plugin and configured it clicking here:
After that, the web hook is created on GitHub but the address is 0000:8111 which is wrong. So I change to the correct DNS and redeliver the request.
It seems to work, the server returns 202 with the message Scheduled checking for changes for 2 VCS roots. (Server time: 20180615T122359.142+0100) but the trigger is not working.
After a while another problem happens, the server starts rejecting the requests and GitHub returns this:
No stored auth data (secret key) found for public key "72WE45221-19fe-433b-9265-66b2168EW6c". Seems hook created not by this TeamCity server. Reinstall hook via TeamCity UI.
Environment:
TeamCity version: 2017.2.4 (build 51228)
GitHub Commit Hooks version: 62
What I can do to solve this issue? Is there any issue with my DNS?
EDIT 1:
Now I am able to trigger the build by commits and solved the secret key issue. But pull requests are not triggering the CI.
To solve the secret key issue, you need to change the Server URL on Global Settings.
A bit of a workaround, but have you tried using a VCS trigger to detect and build pull requests rather than a commit hook? This works the same as any other VCS check in trigger, so if your current configuration is already detecting VCS changes from Github it should be more straightforward to setup.
Pull requests on Github are automatically referenced using the following pattern +:refs/pull/*/head so with a VCS branch specification you can have a TeamCity build project that's dedicated to building pull requests.
See https://blog.jetbrains.com/teamcity/2013/02/automatically-building-pull-requests-from-github-with-teamcity/
I had a similar issue; the solution is to change the TC installation's settings so it's aware of its correct URL, and then re-adding the webhook through the plugin. The setting in question is Administration > Server Administration > Global Settings > Server Url: