[Question] How do I use the existing yml CI along with dependabot yml ?

[Hoang-Minh]

This is not really a bug. It's more like a question that I have.
I currently have an existing yml in a specific folder for CI build. Every time a PR (change) is checked in, we will trigger the CI build.

Now, how do I add or combine the yml for dependabot, considering that in the dependabot we have trigger set to none versus in the CI, we have trigger set to a specific branch ? Ideally, we only want to run the dependabot scan only one time a week. Is it achievable with the v2 dependabot ? Thank you.

azure-pipelines.yml

# ASP.NET Core

# Build and test ASP.NET Core projects targeting .NET Core.
# Add steps that run tests, create a NuGet package, deploy, and more:
# https://docs.microsoft.com/azure/devops/pipelines/languages/dotnet-core
---
variables:
  - name: buildConfiguration
    value: Release
  - name: agentPool
    "${{ if or(eq(variables['Build.SourceBranchName'], 'dev'), eq(variables['Build.SourceBranchName'], 'main'), eq(variables['Build.SourceBranchName'], 'dev-ttcdbtst')) }}":
      value: "TTC Servers"
    "${{ else }}":
      value: Azure Pipelines
  - name: rootPath
    value: "./../../../"
  - name: projectPath
    value: "./../"
  - name: unitTestPath
    value: "./../../Api.Test"
  - name: workingDirectory
    value: "src/Api/Build"
trigger:
  - main
  - dev  
  - feature/*
jobs:
  - job: null
    displayName: Build and Publish Artifacts
    pool:
      name: $(agentPool)
      vmImage: ubuntu-latest    
    steps:    
    - checkout: self
      fetchDepth: 0
    - task: UseDotNet@2
      displayName: 'Install .NET 8 SDK'
      inputs:
        packageType: 'sdk'
        version: '8.x'
    - task: Bash@3
      displayName: 'Check what account is running'
      inputs:
        targetType: 'inline'
        script: 'whoami'
        workingDirectory: $(workingDirectory)
    - task: Bash@3
      displayName: 'Install Cake.Tool'
      inputs:
        targetType: 'inline'
        script: 'dotnet tool install --global Cake.Tool | echo "Already installed"'
        workingDirectory: $(workingDirectory)
    - task: Bash@3
      displayName: 'Execute dotnet cake command'
      inputs:
        targetType: 'inline'
        script: 'dotnet cake --rootPath=$(rootPath) --projectPath=$(projectPath) --unitTestPath=$(unitTestPath)'
        workingDirectory: $(workingDirectory)
    - task: PublishBuildArtifacts@1
      displayName: 'Publish Build Artifacts'
      inputs:
        PathtoPublish: 'artifacts'
        ArtifactName: 'Artifact'
        publishLocation: 'Container'

dependabot-pipelines.yml

#inputs options: https://github.com/tinglesoftware/dependabot-azure-devops/blob/main/extension/README.md
trigger: none
stages:
  - stage: CheckDependencies
    displayName: Check Dependencies
    jobs:
      - job: Dependabot
        displayName: Run Dependabot
        pool:
          vmImage: ubuntu-latest
        steps:
          - task: dependabot@2
            displayName: Run Dependabot            
            inputs:
              setAutoComplete: true

dependabot.yml

version: 2
updates:
  - package-ecosystem: 'nuget'
    directory: '/'
    target-branch: 'dev'
    open-pull-requests-limit: 15
    ignore:
        - dependency-name: 'Microsoft.Extensions.Caching.SqlServer'
    registries:
      - azure_artifacts
    schedule:
      interval: weekly
      # Check for npm updates on every Sundays
      day: "sunday"
      time: "09:00"
      timezone: "America/Los_Angeles"    
    # Labels on pull requests for security and version updates
    labels:
      - "npm dependencies"
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://xxx.pkgs.visualstudio.com/0497dd12-e7ca-49f7-999e-7f22d25e38c8/_packaging/TTCWebFeed/nuget/v3/index.json"
    token: "PAT:<PAT>"

[rhyskoedijk]

@Hoang-Minh I would recommend creating a new pipeline specifically for dependabot; You can have dependabot automatically run each day/week using a scheduled trigger. Here are some pipeline examples:

Run dependabot weekly on the current repository only

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

pool:
  name: Azure Pipelines
  vmImage: ubuntu-latest
steps:
  - task: dependabot@2
    displayName: Run Dependabot
    inputs:
      # your config here...

Run dependabot weekly for multiple repositories

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

parameters:
  - name: repositoryNames
    displayName: 'Repository Names'
    type: object
    default:
      - 'Repo1'
      - 'Repo2'
      - 'Repo3'

jobs:
  - ${{ each repositoryName in parameters.repositoryNames }}:
    - job: dependabot_${{lower(replace(repositoryName, ' ', ''))}}
      displayName: Dependabot - ${{repositoryName}}
      pool:
        name: Azure Pipelines
        vmImage: ubuntu-latest
      steps:
        - task: dependabot@2
          displayName: Run Dependabot on ${{repositoryName}}
          continueOnError: true
          inputs:
            targetRepositoryName: ${{repositoryName}}
            # your config here...

[Hoang-Minh]

Thanks @rhyskoedijk .

What's about the dependabot.yml ? Do I need to include that yml file in the repo ? Does it mean that I need 2 yml files in my repo right ?

version: 2
updates:
  - package-ecosystem: 'nuget'
    directory: '/'
    target-branch: 'dev'
    open-pull-requests-limit: 15
    ignore:
        - dependency-name: 'Microsoft.Extensions.Caching.SqlServer'
    registries:
      - azure_artifacts
    schedule:
      interval: weekly
      # Check for npm updates on every Sundays
      day: "sunday"
      time: "09:00"
      timezone: "America/Los_Angeles"    
    # Labels on pull requests for security and version updates
    labels:
      - "npm dependencies"
registries:
  azure_artifacts:
    type: "nuget-feed"
    url: "https://xxx.pkgs.visualstudio.com/0497dd12-e7ca-49f7-999e-7f22d25e38c8/_packaging/TTCWebFeed/nuget/v3/index.json"
    token: "PAT:<PAT>"

[rhyskoedijk]

Yes. If you only have one repo, it's simplest to put both the pipeline and dependabot yml files together in the same repository. e.g.

• MyRepository
  • /.azuredevops/dependabot.yml (your dependabot config file)
  • /.azuredevops/pipeline/run-dependabot.yml (your DevOps pipeline file)

You do not need to specify schedule in your dependabot.yml, this is always ignored by the DevOps extension; Instead, use schedules in your run-dependabot.yml pipeline so that DevOps manages the pipeline scheduling.

[Hoang-Minh]

Thank you very much @rhyskoedijk !!!

[vishnuprakash9845]

@Hoang-Minh I would recommend creating a new pipeline specifically for dependabot; You can have dependabot automatically run each day/week using a scheduled trigger. Here are some pipeline examples:

Run dependabot weekly on the current repository only

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

pool:
  name: Azure Pipelines
  vmImage: ubuntu-latest
steps:
  - task: dependabot@2
    displayName: Run Dependabot
    inputs:
      # your config here...

Run dependabot weekly for multiple repositories

trigger: none
schedules:
- cron: '0 0 * * 0' # 12:00 UTC on Sunday
  always: true
  branches:
    include:
      - main
  batch: true
  displayName: Weekly (midnight sunday)

parameters:
  - name: repositoryNames
    displayName: 'Repository Names'
    type: object
    default:
      - 'Repo1'
      - 'Repo2'
      - 'Repo3'

jobs:
  - ${{ each repositoryName in parameters.repositoryNames }}:
    - job: dependabot_${{lower(replace(repositoryName, ' ', ''))}}
      displayName: Dependabot - ${{repositoryName}}
      pool:
        name: Azure Pipelines
        vmImage: ubuntu-latest
      steps:
        - task: dependabot@2
          displayName: Run Dependabot on ${{repositoryName}}
          continueOnError: true
          inputs:
            targetRepositoryName: ${{repositoryName}}
            # your config here...

Thanks @rhyskoedijk this is useful info.

I was trying this approach where my Dependabot file is set up as follows:

dependabot.yml present in repo1 on the dev branch
dependabot.yml present in repo2 on the main branch

My question is: can we configure the dependabot@2 task to specify a particular branch when using

targetRepositoryName: ${{repositoryName}} 

or anywhere in the run-dependabot pipeline under parameters or in dependabot.yml file?

[rhyskoedijk]

@vishnuprakash9845 you can use the target-branch config in dependabot.yml to specify which branch Dependabot uses when checking for updates and as the target for all pull requests it creates; is this what you mean?

[vishnuprakash9845]

@vishnuprakash9845 you can use the target-branch config in dependabot.yml to specify which branch Dependabot uses when checking for updates and as the target for all pull requests it creates; is this what you mean?

Thanks @rhyskoedijk for the response.

Finally I wanted target as dev branch, where it needs the PR to be created when new version of dependencies available. But the thing which I had doubt is

I've added the dependabot.yml file to two repositories and run-dependabot.yml in another one:

1. Ops.Addition in the adding_dependabot branch
2. Ops.Subtraction in the adding_dependabot branch
3. I've also added the run-dependabot.yml file to the Trigger repository in the adding_run_dependabot branch.

When I run the run-dependabot.yml, I encounter the following error:

Configuration file not found at possible locations: /.azuredevops/dependabot.yml, /.azuredevops/dependabot.yaml, /.github/dependabot.yaml, /.github/dependabot.yml
##[error]An unhandled exception occurred: Error: Configuration file not found at possible locations: /.azuredevops/dependabot.yml, /.azuredevops/dependabot.yaml, /.github/dependabot.yaml, /.github/dependabot.yml

I beleive it taking dev branch while running. Mycode is in feature branches (adding_dependabot) not in dev currently. Once after the testing it will be moved to dev.

My question is: when we run the run-dependabot.yml, does it default to running on the dev branches of Ops.Addition and Ops.Subtraction, or is there a way to configure it to run on feature branches of these repositories?

[rhyskoedijk]

@vishnuprakash9845 in your scenario, run-dependabot.yml when using targetRepositoryName will attempt to locate dependabot.yml in the default branch of the target repo, not the "adding_dependabot" branch; Unfortunately there is no option to specify the target repository branch name.

The only work around I can think of is to commit your dependabot.yml file to the default branch of your repositories; Although, you mentioned you want to avoid this until it has been tested first, so that might not be possible for you.

@mburumaxwell do you think there should be a task input for "targetRepositoryBranchName" and "targetRepositoryName"? If so, I can add it.

[vishnuprakash9845]

@rhyskoedijk

Thank you for the clarification and the suggestion. I appreciate your insight on how run-dependabot.yml works with the default branch of the target repository. While committing the dependabot.yml to the default branch is something we were hoping to avoid for now, it's good to know that's a potential workaround.

Adding a task input for targetRepositoryBranchName sounds like a great idea. It would certainly help in cases like this where testing is needed before merging to the default branch. Thanks again for your help!

[dtno-azeem-akhtar]

Hello, I am also trying to run dependabot scan for multi-repo. I have created one azure pipeline in separate repo there I have configured dependabot@2 task for all repos. But the target repos are in another project within same organization in azure devops.
Getting [GET] https://///_apis/git/repositories/?api-version=5.0
🌎 🠈 [200] OK
Creating pull request 'Bump Microsoft.NET.Test.Sdk from 17.7.1 to 17.11.1'...

• Pushing 1 file change(s) to branch 'dependabot/nuget/master/Microsoft.NET.Test.Sdk-17.11.1'...
  🌎 🠊 [POST] https://///_apis/git/repositories//pushes?api-version=5.0
  🌎 🠈 [500] Internal Server Error
  {"$id":"1","innerException":null,"message":"TF401035: The object '6cb74c2217ce00eb5a0ac788572ece5fa74d462c' does not exist

I believe this is due to it is not pointing to correct repo the PR to be created. In this case, error says it does not find the commit Id whereas commit id exist in target repo but the pipeline is trying to create the PR in the its own repo means the pipeline I believe.
I have even tried running the same within same project for different repo in single pipeline run where the pipeline I created in a separate repo within the same project. but same error.
Below are my yml files:
scan.yml file exist in separate repo as a sole file:

trigger: none

pool:
  vmImage: 'ubuntu-latest'

resources:
  repositories:
    - repository: Repo1
      type: git
      name: Root/Repo1
    - repository: Repo2
      type: git
      name: Root/Repo2

variables:
- group: MyGet

jobs:
  - job: AuthenticateNuget
    displayName: "Nuget Authenticate"
    steps:
      - task: NuGetAuthenticate@1
        displayName: "NuGet Authenticate"
      
  - job: RunDependabotForRepo1
    displayName: "Dependabot"
    steps:
      - checkout: Repo1
      - task: dependabot@2
        displayName: "Dependabot"
        inputs:
          dockerImageTag: "1.36.0"
          tergatRepository: CampaignService
          extraEnvironmentVariables: DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"nuget_feed","url":"$(dependabot-key)"}, {"type":"nuget_feed","url":"https://api.nuget.org/v3/index.json"}, {"type":"nuget_feed","url":"https://pkgs.dev.azure.com/orgname/project/_packaging/project/nuget/v3/index.json", "token":"$(System.AccessToken)"}]
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
        continueOnError: true
  - job: RunDependabotForRepo2
    displayName: "Dependabot"
    steps:
      - checkout: repo2
      - task: dependabot@2
        displayName: "Dependabot"
        inputs:
          dockerImageTag: "1.36.0"
          extraEnvironmentVariables: DEPENDABOT_EXTRA_CREDENTIALS=[{"type":"nuget_feed","url":"$(dependabot-key)"}, {"type":"nuget_feed","url":"https://api.nuget.org/v3/index.json"}, {"type":"nuget_feed","url":"https://pkgs.dev.azure.com/orgname/project/_packaging/project/nuget/v3/index.json", "token":"$(System.AccessToken)"}]
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
        continueOnError: true

Here is my dependabot.yml file exists in each respective repo that to be scaned and PR to be created there.

# Basic set up for three package managers

variables:
- group: MyGet

version: 2

registries:
   nuget:
     type: nuget-feed
     url:  https://api.nuget.org/v3/index.json

   nuget-azure-devops:
     type: nuget-feed
     url: https://pkgs.dev.azure.com/orgname/project/_packaging/project/nuget/v3/index.json
     token: ${{ System.AccessToken }}

   my-get:
     type: nuget-feed
     url: https://www.myget.org/F/orgname/api/v3/index.json
     token: ${{ dependabot-key }}
     
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    registries:
      - nuget
      - nuget-azure-devops
      - my-get
    ignore:
      - dependency-name: "Swashbuckle.AspNetCore"
        versions: ["6.x"]
    schedule:
      interval: "daily"

Please could you advise, Although I have tried different solutions but no success. Thank you!