How to pass Dependabot OPTIONS properties to dependabot-script in Azure DevOps Pipeline

Question

After following guides like this one I am able to successfully run dependabot against my Azure DevOps repo and it auto creates PRs. The issue is I have some customizations I need to make such as ignoring specific packages as the dependabot documentation says can be done here are not working.

Not sure if it is the way I am composing the options object or something else, but no values seem to be honored.

Here is what my Azure DevOps Pipeline looks like:

trigger:
- main

jobs:
- job: dependabot
  displayName: Dependabot Execution
  pool:
   vmImage: 'ubuntu-latest'

  variables:
    - name: DIRECTORY_PATH
      value: /MyApp/
    - name: PACKAGE_MANAGER
      value: nuget
    - name: PROJECT_PATH   
      value: someDomain/someProject/_git/my-app
    - name: OPTIONS
      value: |
        {"ignore":[{"dependency-name":"NLog*"}]}
        # {"ignore_conditions":[{"dependency-name":"NLog*"}]} # also tried and did not work

  steps:
    - script: git clone https://github.com/dependabot/dependabot-script.git
      displayName: Clone Dependabot config repo

    - script: |
        cd dependabot-script
        docker build -t "dependabot/dependabot-script" -f Dockerfile .
      displayName: Build Dependabot Image

    - script: |
        docker run --rm -e AZURE_ACCESS_TOKEN='$(PAT)' \
                        -e GUTHUB_ACCESS_TOKEN='$(GHPAT)' \
                        -e PACKAGE_MANAGER='$(PACKAGE_MANAGER)' \
                        -e PROJECT_PATH='$(PROJECT_PATH)' \
                        -e DIRECTORY_PATH='$(DIRECTORY_PATH)' \
                        -e OPTIONS='$(OPTIONS)' \
                        dependabot/dependabot-script
      displayName: Run Dependabot

And here is the output when the pipeline runs:

Running with options: {:ignore=>[{:"dependency-name"=>"NLog*"}]}
Fetching nuget dependency files for someDomain/someProject/_git/my-app
Parsing dependencies information
  - Updating NLog (from 5.1.0)… submitted
  - Updating System.Data.SqlClient (from 4.8.4)… submitted
Done
Finishing: Run Dependabot

As you can see, 2 PRs are created, which is great, except the NLog one should have been ignored/skipped. I have also tried other options such as commit-message prefix and it did not take either.

Any help is appreciated!

Answer 1

Another way is to use the image created by tinglesoftware (https://github.com/tinglesoftware/dependabot-azure-devops). Simply add the DEPENDABOT_IGNORE_CONDITIONS environment variable when launching the Docker image, for example :

- script: |
    docker pull ghcr.io/tinglesoftware/dependabot-updater
  displayName: Pull docker image
- script: |
    docker run --rm -i -e GITHUB_ACCESS_TOKEN='$(GHPAT)' \
                    -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=10 \
                    -e AZURE_ACCESS_TOKEN='$(PAT)' \
                    -e AZURE_ORGANIZATION='$(AZURE_ORGANIZATION)' \
                    -e AZURE_PROJECT='$(AZURE_PROJECT)' \
                    -e AZURE_REPOSITORY='$(AZURE_REPOSITORY)' \
                    -e DEPENDABOT_PACKAGE_MANAGER='$(PACKAGE_MANAGER)' \
                    -e DEPENDABOT_DIRECTORY='$(DIRECTORY_PATH)' \
                    -e DEPENDABOT_TARGET_BRANCH='$(BRANCH)' \
                    -e DEPENDABOT_IGNORE_CONDITIONS='[{"dependency-name":"dotnet/sdk","versions":[">= 7"]}]' \
                    ghcr.io/tinglesoftware/dependabot-updater
  displayName: Run Dependabot

You will need to change the PROJECT_PATH variable to define the AZURE_ORGANIZATION, AZURE_PROJECT and AZURE_REPOSITORY variables.

I hope this helps