Kira Dependencies Bot

Gitlab bot to continuously update your dependency versions. Friendly fork of dependabot-script. The main difference is that the script's source is adjusted to work with RSDP process.

Part of the @kira bots family.

Installation

We recommend to copy this project to your Gitlab. And then setup individual CI schedules for each project that you want to enable.

Configuration

Global

This is a global configuration that you should setup inside your CI variables.

• KIRA_GITLAB_PERSONAL_TOKEN - personal access token for your bot user
• GITLAB_HOSTNAME - (optional) Gitlab domain name, defaults to gitlab.com
• KIRA_GITHUB_PERSONAL_TOKEN - Github personal access token to avoid hitting rate limit

Per schedule

This configuration is best to be setup inside CI schedule's environment.

• PACKAGE_MANAGER_SET - magic variable, package managers to be updated, eg: npm pip docker
• DEPENDABOT_PROJECT_PATH - project to be updated, eg: wemake-services/kira-dependencies
• DEPENDABOT_DIRECTORY - directory to look for package file, defaults to /
• DEPENDABOT_SOURCE_BRANCH - (optional) Source branch for merge requests, defaults to project default branch
• DEPENDABOT_ASSIGNEE_GITLAB_ID - (optional) Gitlab user id to assign to merge requests
• DEPENDABOT_GITLAB_APPROVE_MERGE - (optional) setup to true if you want our bot to approve your merge requests
• DEPENDABOT_GITLAB_AUTO_MERGE - (optional) setup to true if you want to auto merge this request
• DEPENDABOT_MAX_MERGE_REQUESTS - (optional) setup the number of max openened merge requests you want.
• DEPENDABOT_EXTRA_CREDENTIALS - (optional) JSON of extra credential config, for example a private registry authentication (For example FontAwesome Pro: [{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}])
• DEPENDABOT_IGNORED_VERSIONS - (optional) JSON of versions which should be ignored during update. The expected format is {"vendor/package": [">0.1.0", ">0.2.0"]}. It mirrors functionality of ignored_updates in dependabot.

Per package manager

• DEPENDABOT_UPDATE_STRATEGY - (optional) change how each package manager updates your dependency versions, see list of allowed values here
• DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK - (optional) exclude certain dependency updates requirements for each package manager, see list of allowed values here. Useful if you have lots of dependencies and the update script too slow. Example: own all to only use the none version requirement
• KIRA_FAIL_ON_EXCEPTION - (optional) setup to true if you want the job to fail if an exception occurs