Add dependabot CLI execution mode behind experiment flag#1729
Conversation
There was a problem hiding this comment.
Pull request overview
Adds an experimental execution path that runs Dependabot updates via the dependabot/cli binary instead of the existing Docker-based orchestration, gated behind the dependabot-use-cli experiment and disabled on GHES.
Changes:
- Introduces
runDependabotCLIorchestration (download CLI, build YAML job file, run CLI with flags/env). - Adds GHES detection to prevent CLI mode on GitHub Enterprise Server while allowing github.com and
*.ghe.com. - Updates dependencies/build artifacts and adds Jest coverage for the new CLI mode and helpers.
Show a summary per file
| File | Description |
|---|---|
| src/main.ts | Adds experiment-gated CLI execution path and GHES detection helper. |
| src/cli-runner.ts | New module to download and execute Dependabot CLI and generate YAML job files. |
| package.json | Adds js-yaml runtime dependency and its types. |
| package-lock.json | Lockfile updates reflecting new dependencies. |
| tests/main.test.ts | Adds tests for CLI experiment gating and GHES behavior. |
| tests/cli-runner.test.ts | Adds unit tests for CLI runner helpers/job file generation. |
| dist/main/sourcemap-register.js | Rebuilt dist output. |
| dist/cleanup/sourcemap-register.js | Rebuilt dist output. |
| dist/main/licenses.txt | Updates bundled licenses to include js-yaml. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/13 changed files
- Comments generated: 4
- Review effort level: Low
403cec2 to
d1cead5
Compare
b7d6ab1 to
ef0a274
Compare
Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the dependabot-use-cli experiment is enabled. Key changes: - Download the latest CLI release from GitHub Releases, resolving the version dynamically via the GitHub API - Build a YAML job file from the job details and credentials - Pass --api-url, --updater-image, and --proxy-image flags to the CLI - Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in the CLI process environment for proxy auth and image pulls - Log CLI stderr as info (not warning) - Skip the CLI path when the job environment is ghes; allow it for dotcom and proxima environments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ef0a274 to
3b6ca0c
Compare
| * the CLI has the complete job definition. | ||
| * Returns the path to the temporary YAML file. | ||
| */ | ||
| export function buildJobFile( |
There was a problem hiding this comment.
This doesn't have to be in YAML, the CLI will accept JSON as well.
| } | ||
| const githubToken = process.env.GITHUB_TOKEN | ||
| if (githubToken) { | ||
| extraEnv.LOCAL_GITHUB_ACCESS_TOKEN = githubToken |
There was a problem hiding this comment.
The CLI will only use LOCAL_GITHUB_ACCESS_TOKEN if there's no Git source credential already, which for production will always be the case. So I don't think you need this. If you do need to specifically inject the GITHUB_TOKEN you'd need to add it to the credentials directly.
LOCAL_GITHUB_ACCESS_TOKEN is just meant for using it locally for convenience on the command line.
| if (options.outputPath) { | ||
| args.push('-o', options.outputPath) | ||
| } |
There was a problem hiding this comment.
Since we are providing the hostname of the Dependabot service, there's not a reason for writing output to disk as it will simply POST the results directly to the service. Prevents us from needing to clean up.
| jobFilePath: string, | ||
| options: CLIRunOptions = {} | ||
| ): Promise<void> { | ||
| const args = ['update', '-f', jobFilePath] |
There was a problem hiding this comment.
Dependabot CLI can receive the job input on stdin, so there's no need to write the job to disk. One less thing to clean up, and keeps credentials in memory only.
|
|
||
| const proc = spawn(command, args, {stdio: 'pipe', env}) | ||
|
|
||
| proc.stdout?.on('data', (data: Buffer) => { |
There was a problem hiding this comment.
We probably don't want to print stdout since it's the payload to the server. It doesn't add anything and some of the JavaScript payloads are massive.
|
Looks good, just a few ways to simplify things 👍 |
Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the
dependabot-use-cliexperiment is enabled.Key changes:
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com