Skip to content

Add dependabot CLI execution mode behind experiment flag#1729

Open
brettfo wants to merge 1 commit into
mainfrom
dev/brettfo/github-packages
Open

Add dependabot CLI execution mode behind experiment flag#1729
brettfo wants to merge 1 commit into
mainfrom
dev/brettfo/github-packages

Conversation

@brettfo

@brettfo brettfo commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Introduces a new code path that uses the dependabot CLI binary instead of the Docker-based updater orchestration when the dependabot-use-cli experiment is enabled.

Key changes:

  • Download the latest CLI release from GitHub Releases, resolving the version dynamically via the GitHub API
  • Build a YAML job file from the job details and credentials
  • Pass --api-url, --updater-image, and --proxy-image flags to the CLI
  • Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in the CLI process environment for proxy auth and image pulls
  • Skip the CLI path on GitHub Enterprise Server (GHES) instances, even if the experiment flag is set

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Copilot AI review requested due to automatic review settings July 7, 2026 16:03
@brettfo brettfo requested a review from a team as a code owner July 7, 2026 16:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an experimental execution path that runs Dependabot updates via the dependabot/cli binary instead of the existing Docker-based orchestration, gated behind the dependabot-use-cli experiment and disabled on GHES.

Changes:

  • Introduces runDependabotCLI orchestration (download CLI, build YAML job file, run CLI with flags/env).
  • Adds GHES detection to prevent CLI mode on GitHub Enterprise Server while allowing github.com and *.ghe.com.
  • Updates dependencies/build artifacts and adds Jest coverage for the new CLI mode and helpers.
Show a summary per file
File Description
src/main.ts Adds experiment-gated CLI execution path and GHES detection helper.
src/cli-runner.ts New module to download and execute Dependabot CLI and generate YAML job files.
package.json Adds js-yaml runtime dependency and its types.
package-lock.json Lockfile updates reflecting new dependencies.
tests/main.test.ts Adds tests for CLI experiment gating and GHES behavior.
tests/cli-runner.test.ts Adds unit tests for CLI runner helpers/job file generation.
dist/main/sourcemap-register.js Rebuilt dist output.
dist/cleanup/sourcemap-register.js Rebuilt dist output.
dist/main/licenses.txt Updates bundled licenses to include js-yaml.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/13 changed files
  • Comments generated: 4
  • Review effort level: Low

Comment thread src/main.ts Outdated
Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts
Comment thread __tests__/cli-runner.test.ts
@brettfo brettfo force-pushed the dev/brettfo/github-packages branch from 403cec2 to d1cead5 Compare July 7, 2026 20:47
@brettfo brettfo requested a review from Copilot July 7, 2026 20:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 6/14 changed files
  • Comments generated: 6
  • Review effort level: Low

Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts Outdated
Comment thread src/cli-runner.ts Outdated
Comment thread src/cli-runner.ts
Comment thread src/cli-runner.ts
Comment thread src/main.ts
@brettfo brettfo force-pushed the dev/brettfo/github-packages branch 4 times, most recently from b7d6ab1 to ef0a274 Compare July 7, 2026 21:30
Introduces a new code path that uses the dependabot CLI binary instead
of the Docker-based updater orchestration when the dependabot-use-cli
experiment is enabled.

Key changes:
- Download the latest CLI release from GitHub Releases, resolving the
  version dynamically via the GitHub API
- Build a YAML job file from the job details and credentials
- Pass --api-url, --updater-image, and --proxy-image flags to the CLI
- Set JOB_TOKEN, DEPENDABOT_JOB_ID, and LOCAL_GITHUB_ACCESS_TOKEN in
  the CLI process environment for proxy auth and image pulls
- Log CLI stderr as info (not warning)
- Skip the CLI path when the job environment is ghes;
  allow it for dotcom and proxima environments

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@brettfo brettfo force-pushed the dev/brettfo/github-packages branch from ef0a274 to 3b6ca0c Compare July 7, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants