Dependabot on Gitlab

Dependabot on Gitlab

A few days ago I tweeted about Dependabot. Dependabot is a tool that will check if any of your dependencies is outdated and shoot in a pull request to update this dependency. This way you keep all your dependencies up to date. Another benefit of this is that you can run this every night for example so you will have all the updates the next morning ready to be merged. How convenient is that?

Let’s start setting this up in Gitlab. So we need two things here. Our own repository which will receive the updates. The second part is a clone or mirror of Dependabot script which will be setup to run every night. I will take you through all these steps as I figured them out as well.

Dependabot Core

Let’s first start with Dependabot core itself. So create a new project in gitlab (this can be either your own hosted gitlab or We will need to mirror the Dependabot Core repo in there. Go to the new project page which you can find here:

On this page go to the “Import project” tab. From there we select the button “Repo by URL”. In here we paste the following url:

Make sure that you do check the “Mirror repository” button. This way you don’t have to update Depandabot yourself anymore. Finally you can give the project a name. Make sure you hit the “Create project” button and it will start importing.

We now have the repo, we need to make some small changes to get it up and running. You can checkout this repository and make the changes or you can do it from the UI using the Web IDE. We need to copy over the .gitlab-ci.example.yml to a new .gitlab-ci.yml file. In this case we don’t have to make any changes in the file itself.

Access tokens

To make sure Dependabot can create pull requests on our repository we need to make sure it has access. Luckily Gitlab makes this very easy for us. First we need to generate a new personal access token so we can grant access. If you got to you can generate a new token. Make sure you save the token somewhere because you won’t be able to see it again.

Now copy this token and go to “Settings” in the sidebar of the Dependabot script repository, not your code repository, Then “CI / CD”. On this page under “Variables” we need to register the token. The key should be GITLAB_ACCESS_TOKEN and the value should be the one you just copied. Finally we add a second key called GITLAB_HOSTNAME. In here you put the url of your Gitlab environment. If you use the public Gitlab you should use

Scheduling Dependabot

Now that we have the repository for Dependabot up and running we can start checking for outdated dependencies using a scheduler. In the cloned Dependabot script repository we can go to “CI / CD” in the sidebar and then “Schedules”. From here we create a new schedule.

We can give the schedule a name and set the time whenever we want to run it. For me running it at 4 AM is perfect. Also note in the screenshot below that we need to set two more environment variables to make this work. First PROJECT_PATH with the name of the repo, in my case bobbybouwmann/laravel-dependabot. Finally PACKAGE_MANAGER_SET with the type of dependencies we want to get updates, in my case composer,npm_and_yarn.

Updating those dependencies!

Now if everything is correct, we can manually trigger the pipeline. If you do this from the scheduler overview, you need to go to the pipelines yourself. The first pipeline takes a long time, after that it has build some cache so it’s a lot faster.

If everything went fine you should see some pull requests. You will receive these pull requests now everyday and don’t have to thing about it anymore! It’s really awesome!

You can find the examples repositories from this tutorial here:

Github Access Token

In some cases you will hit the rate limit of Github for updating your dependencies. This mostly happens the first time you run it because you might have a lot of outdated dependencies. Luckily we can easily fix this! We only need to generate a personal access token on Github and add it to the environment variables of our schedules.

To generate a new Github token you can go to Here you can generate a new personal access token. The first step is setting the permissions. In general you you have to set the public_repo permission under the repo section. Now hit that button for your token! Keep your token close, we need it in the next step.

Now go back to the schedules in the dependabot script repo. You can find it under "CI / CD" and then "Schedules". Edit the existing schedule and add the GITHUB_ACCESS_TOKEN key with the token we just created as value. Make sure you save and you should be good to go!

Special dependencies

Sometimes you have special dependencies that for example need a username and password for access to a certain dependency. Take for example Laravel Nova. Locally you would add the credentials to auth.json file configured for composer. So the problem here is that our schedule doesn't know about these credentials. To set this up correctly we need to update some files and add environment variables.

Let's start with the environment variables. We go again to "CI / CD" and then "Schedules" in the sidebar. Here we edit the schedule and add two new keys called NOVA_USERNAME and NOVA_PASSWORD. The values are the normal values you would fill in here.

Next we need to update the .gitlab-ci.yml, specifically the steps for composer:

// Before
  extends: .dependabot
      - $PACKAGE_MANAGER_SET =~ /\bcomposer\b/

// After
  extends: .dependabot
    - composer config --global --auth $NOVA_USERNAME $NOVA_PASSWORD --no-ansi --no-interaction    
    - bundle install -j $(nproc) --path vendor
      - $PACKAGE_MANAGER_SET =~ /\bcomposer\b/

This way we can add a new config to the auth.json file from composer via the command line. The credentials will come from the environment variables. If you have setup everything correctly Nova should be updated automatically for you as well.

I'm working on a book called Laravel Secrets. You will learn everything about the undocumented secrets of the popular Laravel framework. You can sign up using the form below to get early updates!

Visit for more information.