Extending awesome Dependabot to private registries
Minimizing technical debt and avoiding security vulnerabilities is a task that often requires manual labor. Updating dependencies without tooling can be daunting and error-prone. Fortunately, GitHub (GH) acquired Dependabot: a tool that automates dependency analysis in a GitHub repository. It offers a wide range of features like finding outdated or vulnerable dependencies. When found, Dependabot automatically creates GH Alerts and Pull Requests.
All of this works great with dependencies that are publicly available. However, many people or corporations would like to use Private Artifact Storages for dependencies protected from the public. Dependabot calls these storages Private Registries. TIER uses AWS CodeArtifact, a managed AWS service for securely storing, publishing, and sharing artifacts. As AWS CodeArtifact is a private registry, TIER developers have to login into AWS to push and pull code from the registry. Authenticating against AWS CodeArtifact leaves you with a token that you can use to access the code.
With this blog post, we announce the open-sourcing of the Dependabot - CodeArtifact sync tool. The rest of the post dives deeper into the journey and usage of our app and how you can contribute to it!
Enabling AWS CodeArtifact in Dependabot
Until late 2021, developers had to add secrets for private registries through the UI of Dependabot as there was no public API for doing that automatically. This complicates Dependabot and AWS CodeArtifact integration, as the access token for CodeArtifact has a maximum duration of 12 hours. Thus, developers would have to manually update the secret every 12 hours to enable CodeArtifact with Dependabot.
The AWS CodeArtifact community was unhappy that Dependabot did not offer an API for programmatically updating secrets and opened a GitHub issue. Eventually, Dependabot resolved the GitHub issue by extending the API with endpoints that manage Dependabot secrets.
With the change to the API, we at TIER saw the opportunity to develop a tool that would programmatically update the AWS CodeArtifact on GitHub Dependabot. This change would enable us to use the features of AWS CodeArtifact and Dependabot together. To understand how this works, check out the official Dependabot documentation for private registries and encrypting secrets.
Using the Dependabot - AWS CodeArtifact sync tool
The tool programmatically updates the AWS CodeArtifact secret in GitHub every 10 hours. You can plug it into virtually every environment as the tool allows multiple ways to give it the required data.
Besides installing it yourself, you have access to the binaries through our releases or you can run it with Docker straight from our public Container Registry. Checkout the releases from the public GitHub repo. To build it, you will need to have the latest version of Golang installed in your environment:
- Run go build to create an executable for your system
- Set up the environment variables or use CLI flags to give the tool the data it needs to authenticate against AWS CodeArtifact and Dependabot
- Run the executable with the data specified in step 2.
The executable runs until someone kills the process.
When the tool is running and periodically updating the Access Token on Dependabot, you can use that secret through the typical Dependabot configuration for private registries described in their documentation.
Enjoy your Dependabot Pull Requests pulling code from AWS CodeArtifact!
Conclusion
Dependabot and CodeArtifact are incredible tools with just the right features for developers and teams who want to scale in a growing landscape. Together, they unleash the full potential of automated dependency management, removing security hazards and offloading work from your developers.