This is an internal component that GitHub uses to run Dependabot, it's not considered useful outside of this internal usage, and we also are currently not considering any contributions to this part of the codebase to make it more generic. We do however use it to run some end-to-end tests against the rest of the codebase, so we can ensure that things still work when we deploy them.
This component communicates with an API that is only accessible inside the GitHub network, and so is not generally accessible.
To work on the Updater, you will need to start a Docker dev shell:
➜ bin/docker-dev-shell updater # the docker-dev-shell internally maps 'updater' to the 'bundler' ecosystem image
[dependabot-core-dev] ~ $ cd dependabot-updater/
[dependabot-core-dev] ~/dependabot-updater $ bundle
We run rspec tests in the docker dev shell:
[dependabot-core-dev] ~/dependabot-updater $ bundle exec rspec
You can run an individual test file like so:
[dependabot-core-dev] ~/dependabot-updater $ bundle exec rspec spec/dependabot/integration_spec.rb
A small number of tests hit the GitHub API, so you will need to set the envvar
DEPENDABOT_TEST_ACCESS_TOKEN
with a Personal Access Token with the full repo
scope.
# keep secrets from being stored in shell history by prefixing with a space
export HISTCONTROL=ignorespace
export DEPENDABOT_TEST_ACCESS_TOKEN=ghp_xxx
# The DEPENDABOT_TEST_ACCESS_TOKEN will be forwarded to the dev shell container
➜ bin/docker-dev-shell bundler
In order to avoid network calls, we use VCR to maintain fixtures for the remote services we interact with.
If you are adding a new test that makes network calls, please ensure you record a new fixture.
spec/spec_helper.rb
If you've added a new test which has the vcr: true
metadata, you can record a fixture for just those changes like so:
[dependabot-core-dev] ~/dependabot-updater $ VCR=new_episodes bundle exec rspec
If you need to upadate existing fixtures, you can use the all
flag like so:
[dependabot-core-dev] ~/dependabot-updater $ VCR=new_episodes bundle exec rspec