Automating Dependency Updates with DuneBot.

DuneBot is a GitHub application developed to enhance automation around dependency management by working alongside Dependabot. It’s designed to streamline the approval and merging of dependency update pull requests (PRs) by applying custom rules that determine which PRs are safe to merge automatically.

Automating Dependency Updates with DuneBot

Overview

DuneBot is a GitHub application developed to enhance automation around dependency management by working alongside Dependabot. It’s designed to streamline the approval and merging of dependency update pull requests (PRs) by applying custom rules that determine which PRs are safe to merge automatically. With features like merge-after-age, DuneBot ensures that dependencies stay current while allowing for an appropriate waiting period, enhancing both efficiency and control.

Key Features

  1. Dependabot Integration:
    DuneBot is built to handle the high volume of PRs generated by Dependabot, especially in large-scale projects. As part of a initiative, Dependabot was enabled in over 100 repositories, creating nearly 6,000 PRs since the program’s inception. DuneBot’s integration helps manage this workload by assessing, approving, and merging PRs, freeing teams from manual intervention.

  2. Customizable Approval Rules:
    DuneBot allows teams to define a set of global and repository-specific rules through a YAML configuration file. These rules let DuneBot assess if a PR meets certain criteria before automatically approving and merging it. In the absence of a repository-specific configuration, DuneBot will follow global settings stored in a central GitHub repository.

  3. Merge-After-Age Option:
    An additional safety feature of DuneBot is its ability to wait for a predefined “age” period before merging a PR. This delay allows time for testing, review, or simply ensuring no breaking changes arise due to the new version. This setting can be adjusted to meet each repository’s requirements, giving teams the flexibility to maintain stability even with automated dependency updates.

  4. GitHub Actions Support:
    DuneBot’s rules can be tailored to handle PRs involving GitHub Actions, using branch and label conventions to ensure that only safe updates are approved. For instance, automatic approval can be restricted to minor or patch updates.

How to Get Started with DuneBot

  1. Enable DuneBot on GitHub Repositories:
    DuneBot can be enabled at the organizational level, with individual repositories added through the GitHub settings.

  2. Define Global Rules:
    Define rules in the .github/dunebot.yaml file of a central repository. For instance, automatic merging can be set for minor updates, GitHub Actions updates, or other predefined categories.

  3. Repository-Specific Configurations:
    When needed, repository-specific configurations can override global rules by creating a dunebot.yaml file in the target repository. This approach allows custom behaviors and control over DuneBot’s operations for individual projects.

  4. Implementing Merge-After-Age:
    Set up age-based merging by adding an age threshold to the DuneBot configuration. This threshold tells DuneBot to wait a specified period before merging, giving time for any testing or CI/CD validation processes.

Pull Request Processing

DuneBot handles pull requests in two steps:

  1. Webhook Event Processing:
    When Dependabot creates or updates a PR, DuneBot receives a webhook event. It verifies the PR against the defined rules, skipping further processing if the PR doesn’t meet requirements.

  2. Asynchronous Approval and Merging:
    Qualifying PRs are placed in an in-memory queue for final processing. This step includes checks for branch rules, labels, and additional validation before applying approvals and merges.

Token Service for Authentication

For approvals requiring repository permissions, DuneBot can request GitHub user tokens via OAuth, storing and refreshing them as needed. Tokens are securely managed within Kubernetes secrets, ensuring seamless and secure interactions with the GitHub API.

Future Enhancements

Future plans for DuneBot include expanding support for more configuration options and custom workflows, as well as potentially adding more granular waiting periods for different types of PRs.

DuneBot offers a practical solution for dependency management by enabling automation without sacrificing control. With its seamless integration with Dependabot and flexible merging options, DuneBot is an essential tool for keeping dependencies up-to-date, reliable, and secure.

This blog post can be linked in your CV as an example of your work on automating dependency management with GitHub applications. Let me know if you’d like more details or adjustments!

Written on November 10, 2024