[GitLab] Dependabot

2024-02-06 hit count image

Let's see how to add Dependabot to GitLab for checking automatically the version updating of the libraries in the project.


Dependabot is an open source for checking the new version of the libraries in the project and creating the Pull request(Merge request) automatically in GitHub or GitLab.

Dependabot is made for GitHub at the first time, but now it becomes open source be able to use everywhere. So, GitLab also supports Dependabot for you to use it.

However, the Ultimate plan is required to use Dependabot provided by GitLab in GitLab.

In this blog post, I will introduce how to add Dependabot in self-managed GitLab for not the Ultimate plan.

Add dependabot-script to GitLab

To execute Dependabot on GitLab, you need to make an environment for it. Dependabot provides the dependabot-script repository for the environment to execute Dependabot.

So, you need to import the dependabot-script to GitLab by following the steps.

  1. Access GitLab
  2. Click New Project
  3. Click Import project
  4. Insert and add Repository by URL

And then, insert the dependabot-script repository URL below to Repository URL.

  • Repository URL: https://github.com/dependabot/dependabot-script

Create GitLab token

The dependabot-script repository will access the other repositories and check the version. And then, when the new versios exist, The dependabot-script repository creates Merge request automatically. So, Personal Access Token is required to access the other repositories and make Merge request.

GitLab Dependabot - personal access tokens

Create Personal Access Token with the api permission.

Create GitHub token

The dependabot-script repository uses GitHub API to check the library versions.. So To use GitHub API, you need to create Personal access token of GitHub.

After login on GitHub, click the profile image on the right top. And then, click Settings to go to the settings page.

Click Developer settings on the bottom of the left menu on the settings peage. And then, click Personal access tokens > Token (classic) to go to creating Token page.

GitLab Dependabot - GitHub personal access tokens

Cteate Token with the public_repo permission of repo.

Create CI/CD variables

Next, you need to configure Pesonal Access Token to the CI/CD variables in dependabot-script.

GitLab Dependabot - add token to CI/CD variables

In the dependabot-script repository, click Settings > CI/CD > Variables, and Expand.

And then add Personal Access Token of GitLab with GITLAB_ACCESS_TOKEN by key.

  • Value: token

Also, add Personal Access Token of GitHub with GITHUB_ACCESS_TOKEN by key.

  • Value: token

If you use selfd-managed GitLab, you may need to configure GITLAB_HOSTNAME like the following.

  • Value: gitlab.dev-yakuza.com

Create .gitlab-ci.yml file

You can find the .gitlab-ci.example.yml file in the dependabot-script repository. Modify this file name to .gitlab-ci.yml.

GitLab Dependabot - rename .gitlab-ci.example.yml to .gitlab-ci.yml

Create Schedule

Now, let’s create Schedule to execute Dependabot at regular interval to check that there are new versions of the libraries in the specific project and if there are, create Merge request.

Create new Schedule on the dependabot-script repository.

GitLab Dependabot - create a new schedule of pipeline

At this time, you need to configure the specific project Path and Package manger to Variables.

  • PROJECT_PATH: / (ex> dev-yakuza/deku-nextjs-boilerplate)
  • PACKAGE_MANAGER_SET: project manager (ex> npm_and_yarn)

You can see Package manager that you can configure to the dependabot-script on the following link.

The list of Package manager is like following.

  • bundler
  • cargo
  • composer
  • dep
  • docker
  • elm
  • go_modules
  • gradle
  • hex
  • maven
  • npm_and_yarn
  • nuget
  • pip (includes pipenv)
  • submodules
  • terraform

Execute Schedule

And then, let’s execute Schedule to check Dependabot works well.

GitLab Dependabot - create a new schedule of pipeline

If there is no problem, you can see Merge request is created on the repository that you set to PROJECT_PATH like following.

GitLab Dependabot - merge request

ERROR: Job failed: failed to pull image dependabot/dependabot-script

Basically, you don’t need to modify the .gitlab-ci.yml file. But due to the GitLab configuration, the following error may occur.

ERROR: Job failed: failed to pull image "dependabot/dependabot-script" with specified policies [always]: Error response from daemon: pull acces s denied for dependabot/dependabot-script, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go: 237:2s)

In this case, you need to modify the .gitlab-ci.yml file like following.

# build-image:
#   tags:
#     - shell
#   stage: build
#   script:
#     - docker build -t "dependabot/dependabot-script" -f Dockerfile .

    - docker
  image: dependabot/dependabot-core
    - bundle install -j $(nproc) --path vendor
    - bundle exec ruby ./generic-update-script.rb
    - schedules

After modifying it, when you execute Schedule, you can see Merge request create well.


Done! we’ve seen how to configure and execute Dependabot by using dependabot-script in self-manged GitLab not the Ultimate plan. If you use the newest version of the library, you can fix some security issues, and you don’t need to do a massive version update, so you don’t have to spend a lot of time on version updates.

Was my blog helpful? Please leave a comment at the bottom. it will be a great help to me!

App promotion

You can use the applications that are created by this blog writer Deku.
Deku created the applications with Flutter.

If you have interested, please try to download them for free.