Scope: This project focuses purely on JavaScript and, sure, Typescript 😎 but the same patterns could be applied to other languages and/or systems.
Dependabot is great! Why did I learn how I could replace it?
Over the past 2 years, my beloved tool for updating dependencies seems to be focused on other features, like security alerts, or has abandoned features I used every day, like it's Github app and app interfaces. At the very least, it hasn't provided easy ways to update dependencies for 2 features which are fairly standard for JavaScript development—pnpm and monorepos.
Well, first off. This Gist is written from the context of code, using Git, and using code libraries which excel the capability of code. If this is not clear or of interest to you, stop reading now!
Dependabot is tool for managing coding project dependencies that are maintained in a git service. Mainly Github. This is important for security and keeping code up to date! Dependabot does this using release, cron, or other events which are performed by git management tools (Github for this Gist). When a git management tool event triggers Dependabot to update dependencies, Dependabot does this specked to a yml file configuration, where is runs update commands and will create an update pull request if there are updates.
In the paragraph above, I mentioned how Dependabot works. It perfects tasks based on git management events. The cool thing is we can use those events too—just like Dependabot.
To build our own Dependabot in 5 mins, let's use cron and a github action like so:
name: update dependencies
on:
schedule:
# This will run at 5am on Monday's
- cron: '0 5 * * 1'
# The cron reference below is for every 5 minutes (useful for debugging)
# - cron: '*/5 * * * *'Cool. Now we are using a Github Action to run a cron job in a time range that we control!
Next up, we'll want to update our dependencies. For this I'm using pnpm—but npm and yarn work the same. Use what you like!
...
steps:
- uses: actions/checkout@v3
- uses: pnpm/[email protected]
with:
version: latest
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
- run: pnpm install --no-frozen-lockfile
- run: pnpm updateLastly, we'll want to create a PR with our updates. For this, the fastest way is using Peter Evans Create Pull Request Action.
You could build this yourself using the Github API. You can also replicate this functionality using the GH cli but that will take a bit more than 5 minutes.
...
- name: Create Pull Request
uses: peter-evans/create-pull-request@v4
with:
token: ${{ secrets.PR_CREATE_TOKEN }}
commit-message: Update dependencies
title: "[dependencies] update dependencies"
body: |
## Dependency updates
Auto-generated using [create-pull-request][2]
[1]: https://github.com/<org/user name>/<repo name>
[2]: https://github.com/peter-evans/create-pull-request
branch: update-dependenciesQuick note: You'll notice there is a required token in order to be able to create a pull request. That might be another Gist but here's a link for now!
name: update dependencies
on:
schedule:
- cron: '0 5 * * 1'
# - cron: '*/5 * * * *'
jobs:
udpate-deps:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [16.x]
steps:
- uses: actions/checkout@v3
- uses: pnpm/[email protected]
with:
version: latest
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
- run: pnpm install --no-frozen-lockfile
- run: pnpm update
- name: Create Pull Request
uses: peter-evans/create-pull-request@v4
with:
token: ${{ secrets.PR_CREATE_TOKEN }}
commit-message: Update dependencies
title: "update dependencies"
body: |
## Dependency updates
[1]: https://github.com/<org/user name>/<repo name>
[2]: https://github.com/peter-evans/create-pull-request
branch: update-dependenciesThis Gist is in progress! More to come!