Refer to the extension README.md.
Dependabot will log more diagnostic information when verbose logs are enabled; i.e. system.debug variable is set to true.
When verbose logs are enable, Dependabot will also generate a Flame Graph performance metrics report, which can be viewed by downloading the pipeline logs, then locating the corresponding HTML report file in the Job folder. To understand how to read Flame Graph reports, see: https://www.brendangregg.com/flamegraphs.html#summary
Warning
When sharing pipeline logs, please be aware that the task log contains potentionally sensitive information such as your DevOps organisation name, project names, repository names, private package feeds URLs, list of used dependency names/versions, and the contents of any dependency files that are updated (e.g. package.json, *.csproj, etc). The Flame Graph report does not contain any sensitive information about your DevOps environment.
Install Node.js (18+), Go (1.22+), and Docker (with Linux containers); Install project dependencies using NPM:
cd extension
npm installcd extension
npm run buildTo then generate the a Azure DevOps .vsix extension package for testing, you'll first need to create a publisher account for the Visual Studio Marketplace Publishing Portal. After this, use npm run package to build the package, with an override for your publisher ID:
npm run package -- --overrides-file overrides.local.json --rev-version --publisher your-publisher-id-hereTo test the extension in a Azure DevOps organisation:
- Build the extension
.vsixpackage - Publish the extension to your publisher account
- Share the extension with the organisation.
To run the latest task version:
npm startTo run a specific task version:
npm run start:V1 # runs dependabotV1 task
npm run start:V2 # runs dependabotV2 taskcd extension
npm testHigh-level sequence diagram illustrating how the dependabotV2 task performs updates using dependabot-cli. For more technical details, see how dependabot-cli works.
sequenceDiagram
participant ext as Dependabot DevOps Extension
participant agent as DevOps Pipeline Agent
participant devops as DevOps API
participant cli as Dependabot CLI
participant core as Dependabot Updater
participant feed as Package Feed
ext->>ext: Read and parse `dependabot.yml`
ext->>ext: Write `job.yaml`
ext->>agent: Download dependabot-cli from github
ext->>+cli: Execute `dependabot update -f job.yaml -o update-scenario.yaml`
cli->>+core: Run update for `job.yaml` with proxy and dependabot-updater docker containers
core->>devops: Fetch source files from repository
core->>core: Discover dependencies
loop for each dependency
core->>feed: Fetch latest version
core->>core: Update dependency files
end
core-->>-cli: Report outputs
cli->>cli: Write outputs to `update-sceario.yaml`
cli-->>-ext: Update completed
ext->>ext: Read and parse `update-sceario.yaml`
loop for each output
alt when output is "create_pull_request"
ext->>devops: Create pull request source branch
ext->>devops: Push commit to source branch
ext->>devops: Create pull request
ext->>devops: Set auto-approve
ext->>devops: Set auto-complete
end
alt when output is "update_pull_request"
ext->>devops: Push commit to pull request
ext->>devops: Update pull request description
ext->>devops: Set auto-approve
ext->>devops: Set auto-complete
end
alt when output is "close_pull_request"
ext->>devops: Create comment thread on pull request with close reason
ext->>devops: Abandon pull request
ext->>devops: Delete source branch
end
end