How to enable dependabot for Github actions' version updates

How to test in local dev environment

  1. Clone the repo-tools repository locally.

  2. Find the script edx_repo_tools/ to use

  3. The script adds the dependabot.yml in .github folder if it is not already present.

  4. If the configuration file already exists but doesn’t have github-actions ecosystem included in it then it appends new github-actions ecosystem in the configuration file.

  5. To test it locally, the same repo-tools repository that has .github folder can be used.

  6. Activate the virtual environment of repo tools, install all dependencies

  7. Move to the root of the test repo in which the script needs to be run

  8. Then run the following command to test, it should add new dependabot.yml

    python PATH_TO_REPO_TOOLS_DIR/edx_repo_tools/

How to run it for bulk repositories for using bulk job workflow

  • Create a list of the repositories which need the configuration to be updated to enable the dependabot checks.

  • Go to Bulk Job Workflow to run the above dependabot_yml script on your desired repositories.

  • Pass on the list of the repositories separated by comma like “edx-platform”, “terraform” etc

  • Pass the following console command in the script field.

  • Pass edx-repo-tools as required packages to be installed in the parameters.

  • To add new reviewer field in the dependabot github-actions ecosystem, pass the following console command instead. It will add new reviewer section in the config and override any existing reviewer if present already. (reviewer can be any valid name of github user, or the name of a team (team name should in the following format org-name/team-name for example openedx/arbi-bom).

    add_dependabot_ecosystem --reviewer "openedx/arbi-bom"
  • Now triggering the job will run that script for all mentioned repositories one by one and create separate PRs for each repository.

  • See following screenshot for an example run of the bulk job.