Skip to content

Add dependabot CLI execution mode behind experiment flag#1729

Open
brettfo wants to merge 1 commit into
mainfrom
dev/brettfo/github-packages
Open

Add dependabot CLI execution mode behind experiment flag#1729
brettfo wants to merge 1 commit into
mainfrom
dev/brettfo/github-packages

Conversation

@brettfo

@brettfo brettfo commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the dependabot-use-cli experiment is enabled.

Key changes:

  • Download the latest CLI release from GitHub Releases, resolving the version dynamically via the GitHub API
  • Build a YAML job file from the job details and credentials
  • Pass --api-url, --updater-image, and --proxy-image flags to the CLI
  • Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in the CLI process environment for proxy auth and image pulls
  • Skip the CLI path on GitHub Enterprise Server (GHES) instances, even if the experiment flag is set

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Copilot AI review requested due to automatic review settings July 7, 2026 16:03
@brettfo
brettfo requested a review from a team as a code owner July 7, 2026 16:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an experimental execution path that runs Dependabot updates via the dependabot/cli binary instead of the existing Docker-based orchestration, gated behind the dependabot-use-cli experiment and disabled on GHES.

Changes:

  • Introduces runDependabotCLI orchestration (download CLI, build YAML job file, run CLI with flags/env).
  • Adds GHES detection to prevent CLI mode on GitHub Enterprise Server while allowing github.com and *.ghe.com.
  • Updates dependencies/build artifacts and adds Jest coverage for the new CLI mode and helpers.
Show a summary per file
File Description
src/main.ts Adds experiment-gated CLI execution path and GHES detection helper.
src/cli-runner.ts New module to download and execute Dependabot CLI and generate YAML job files.
package.json Adds js-yaml runtime dependency and its types.
package-lock.json Lockfile updates reflecting new dependencies.
tests/main.test.ts Adds tests for CLI experiment gating and GHES behavior.
tests/cli-runner.test.ts Adds unit tests for CLI runner helpers/job file generation.
dist/main/sourcemap-register.js Rebuilt dist output.
dist/cleanup/sourcemap-register.js Rebuilt dist output.
dist/main/licenses.txt Updates bundled licenses to include js-yaml.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/13 changed files
  • Comments generated: 4
  • Review effort level: Low

Comment thread src/main.ts Outdated
Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts
Comment thread __tests__/cli-runner.test.ts
@brettfo
brettfo force-pushed the dev/brettfo/github-packages branch from 403cec2 to d1cead5 Compare July 7, 2026 20:47
@brettfo
brettfo requested a review from Copilot July 7, 2026 20:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/14 changed files
  • Comments generated: 6
  • Review effort level: Low

Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts Outdated
Comment thread src/cli-runner.ts Outdated
Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts
Comment thread src/main.ts
@brettfo
brettfo force-pushed the dev/brettfo/github-packages branch 4 times, most recently from b7d6ab1 to ef0a274 Compare July 7, 2026 21:30
Introduces a new code path that uses the dependabot CLI binary instead
of the Docker-based updater orchestration when the dependabot-use-cli
experiment is enabled.

Key changes:
- Download the latest CLI release from GitHub Releases, resolving the
  version dynamically via the GitHub API
- Build a YAML job file from the job details and credentials
- Pass --api-url, --updater-image, and --proxy-image flags to the CLI
- Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in
  the CLI process environment for proxy auth and image pulls
- Log CLI stderr as info (not warning)
- Skip the CLI path when the job environment is ghes;
  allow it for dotcom and proxima environments

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@brettfo
brettfo force-pushed the dev/brettfo/github-packages branch from ef0a274 to 3b6ca0c Compare July 7, 2026 21:36
Comment thread src/cli-runner.ts
* the CLI has the complete job definition.
* Returns the path to the temporary YAML file.
*/
export function buildJobFile(

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't have to be in YAML, the CLI will accept JSON as well.

Comment thread src/cli-runner.ts
}
const githubToken = process.env.GITHUB_TOKEN
if (githubToken) {
extraEnv.LOCAL_GITHUB_ACCESS_TOKEN = githubToken

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CLI will only use LOCAL_GITHUB_ACCESS_TOKEN if there's no Git source credential already, which for production will always be the case. So I don't think you need this. If you do need to specifically inject the GITHUB_TOKEN you'd need to add it to the credentials directly.

LOCAL_GITHUB_ACCESS_TOKEN is just meant for using it locally for convenience on the command line.

Comment thread src/cli-runner.ts
Comment on lines +151 to +153
if (options.outputPath) {
args.push('-o', options.outputPath)
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are providing the hostname of the Dependabot service, there's not a reason for writing output to disk as it will simply POST the results directly to the service. Prevents us from needing to clean up.

Comment thread src/cli-runner.ts
jobFilePath: string,
options: CLIRunOptions = {}
): Promise<void> {
const args = ['update', '-f', jobFilePath]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot CLI can receive the job input on stdin, so there's no need to write the job to disk. One less thing to clean up, and keeps credentials in memory only.

Comment thread src/cli-runner.ts

const proc = spawn(command, args, {stdio: 'pipe', env})

proc.stdout?.on('data', (data: Buffer) => {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably don't want to print stdout since it's the payload to the server. It doesn't add anything and some of the JavaScript payloads are massive.

@jakecoffman

Copy link
Copy Markdown
Member

Looks good, just a few ways to simplify things 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants