Skip to content

[Backport release-25.05] dependabot-cli: 1.63.0 -> 1.71.0 #438656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wolfgangwalther merged 10 commits into from
Sep 13, 2025
Merged

[Backport release-25.05] dependabot-cli: 1.63.0 -> 1.71.0 #438656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f0e2190
dependabot-cli: 1.63.0 -> 1.64.0
r-ryantm May 18, 2025
970330e
dependabot-cli: Remove myself as maintainer
l0b0 May 19, 2025
3a5f633
dependabot-cli: add update script which updates the withDockerImages …
philiptaron May 26, 2025
34a6d20
dependabot-cli: 1.64.0 -> 1.65.0
philiptaron May 26, 2025
25b0ec8
dependabot-cli: only run dependabot in order to get completions if su…
philiptaron May 26, 2025
d954ff0
dependabot-cli: add philiptaron as a maintainer
philiptaron May 26, 2025
dbb743c
dependabot-cli: 1.65.0 -> 1.66.0
r-ryantm Jun 8, 2025
a6b15da
dependabot-cli: 1.66.0 -> 1.67.1
r-ryantm Jun 27, 2025
6e9d494
dependabot-cli: 1.67.1 -> 1.68.0
r-ryantm Jul 7, 2025
d1a6992
dependabot-cli: 1.68.0 -> 1.71.0
r-ryantm Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 45 additions & 40 deletions pkgs/by-name/de/dependabot-cli/package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,31 @@
{
lib,
stdenv,
buildGoModule,
dependabot-cli,
dockerTools,
fetchFromGitHub,
installShellFiles,
lib,
makeWrapper,
symlinkJoin,
testers,
}:
let
pname = "dependabot-cli";
version = "1.63.0";
version = "1.71.0";

# vv Also update this vv
# `tag` is what `dependabot` uses to find the relevant docker images.
tag = "nixpkgs-dependabot-cli-${version}";

updateJobProxy = dockerTools.pullImage {
imageName = "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy";
# Get these hashes from
# nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy --image-tag latest --final-image-name dependabot-update-job-proxy --final-image-tag ${tag}
imageDigest = "sha256:3030ba5ff8f556e47016fca94d81c677b5c6abde99fef228341e1537588e503a";
hash = "sha256-RiXUae5ONScoDu85L6BEf3T4JodBYha6v+d9kWl8oWc=";

# Don't update this, it's used to refer to the imported image later
finalImageName = "dependabot-update-job-proxy";
finalImageTag = tag;
};

updaterGitHubActions = dockerTools.pullImage {
imageName = "ghcr.io/dependabot/dependabot-updater-github-actions";
# Get these hashes from
# nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/dependabot/dependabot-updater-github-actions --image-tag latest --final-image-name dependabot-updater-github-actions --final-image-tag ${tag}
imageDigest = "sha256:a356576adbec11bc34b142b6ef69a5856a09dc3654bdc9f9b046c08ee2d73ff8";
hash = "sha256-zqydb2v39xiSBT5ayWEacD0NIH6LoFX8lkRcCKppH08=";
# Get these hashes from
# nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy --image-tag latest --final-image-name dependabot-update-job-proxy --final-image-tag ${tag}
updateJobProxy.imageDigest = "sha256:a42f9b9845929ae044b8cd51b5335195c33fd610405e558552408287c5295827";
updateJobProxy.hash = "sha256-pEtwBoJ+wF2TdQCcCyigLg4NYqOp2oNCEB7oCJOkwYc=";

# Don't update this, it's used to refer to the imported image later
finalImageName = "dependabot-updater-github-actions";
finalImageTag = tag;
};
# Get these hashes from
# nix run nixpkgs#nix-prefetch-docker -- --image-name ghcr.io/dependabot/dependabot-updater-github-actions --image-tag latest --final-image-name dependabot-updater-github-actions --final-image-tag ${tag}
updaterGitHubActions.imageDigest = "sha256:ca93364b87b6a803d0005409cdb4c61d9c6d808dca33de47de14ef8c30811b51";
updaterGitHubActions.hash = "sha256-TnV8IaBrGPpd06YYmvazGMlZTAVJIMCSWdOgi6hkpRE=";
in
buildGoModule {
inherit pname version;
Expand All @@ -47,10 +34,10 @@ buildGoModule {
owner = "dependabot";
repo = "cli";
rev = "v${version}";
hash = "sha256-lk0AEFQYemr4wP7JXx5mPzzo2VzSJvygPP5vtUvPaxs=";
hash = "sha256-RZNZ72FG4KQr52X0No6iXU4NMUQs7k000KYpw2Kuz5U=";
};

vendorHash = "sha256-pnB1SkuEGm0KfkDfjnoff5fZRsAgD5w2H4UwsD3Jlbo=";
vendorHash = "sha256-5zOMTe8Sa/nkIGtwm4FbAqv3/9Mg5Du2ixxF84VQbXE=";

ldflags = [
"-s"
Expand All @@ -63,7 +50,7 @@ buildGoModule {
installShellFiles
];

postInstall = ''
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
installShellCompletion --cmd dependabot \
--bash <($out/bin/dependabot completion bash) \
--fish <($out/bin/dependabot completion fish) \
Expand All @@ -79,18 +66,36 @@ buildGoModule {
$out/bin/dependabot --help
'';

passthru.updateScript = ./update.sh;

passthru.withDockerImages = symlinkJoin {
name = "dependabot-cli-with-docker-images";
paths = [ dependabot-cli ];
buildInputs = [ makeWrapper ];
postBuild = ''
# Create a wrapper that pins the docker images that are depended upon
wrapProgram $out/bin/dependabot \
--run "docker load --input ${updateJobProxy} >&2" \
--add-flags "--proxy-image=dependabot-update-job-proxy:${tag}" \
--run "docker load --input ${updaterGitHubActions} >&2" \
--add-flags "--updater-image=dependabot-updater-github-actions:${tag}"
'';
postBuild =
let
updateJobProxyImage = dockerTools.pullImage {
imageName = "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy";
finalImageName = "dependabot-update-job-proxy";
finalImageTag = tag;
inherit (updateJobProxy) imageDigest hash;
};

updaterGitHubActionsImage = dockerTools.pullImage {
imageName = "ghcr.io/dependabot/dependabot-updater-github-actions";
finalImageName = "dependabot-updater-github-actions";
finalImageTag = tag;
inherit (updaterGitHubActions) imageDigest hash;
};
in
''
# Create a wrapper that pins the docker images that `dependabot` uses.
wrapProgram $out/bin/dependabot \
--run "docker load --input ${updateJobProxyImage} >&2" \
--add-flags "--proxy-image=dependabot-update-job-proxy:${tag}" \
--run "docker load --input ${updaterGitHubActionsImage} >&2" \
--add-flags "--updater-image=dependabot-updater-github-actions:${tag}"
'';
};

passthru.tests.version = testers.testVersion {
Expand All @@ -99,15 +104,15 @@ buildGoModule {
version = "v${version}";
};

meta = with lib; {
meta = {
changelog = "https://github.com/dependabot/cli/releases/tag/v${version}";
description = "Tool for testing and debugging Dependabot update jobs";
mainProgram = "dependabot";
homepage = "https://github.com/dependabot/cli";
license = licenses.mit;
maintainers = with maintainers; [
l0b0
license = lib.licenses.mit;
maintainers = with lib.maintainers; [
infinisil
philiptaron
];
};
}
48 changes: 48 additions & 0 deletions pkgs/by-name/de/dependabot-cli/update.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnugrep gnused jq gh nix-prefetch-docker nix gitMinimal

set -x -eu -o pipefail

cd $(dirname "${BASH_SOURCE[0]}")

NIXPKGS_PATH="$(git rev-parse --show-toplevel)"

temp_dir=$(mktemp -d)
trap 'rm -rf "$temp_dir"' EXIT

gh api repos/dependabot/cli/releases/latest > "$temp_dir/latest.json"

VERSION="$(jq -r .tag_name "$temp_dir/latest.json" | sed 's/^v//')"
OLD_VERSION="$(grep -m1 'version = "' ./package.nix | cut -d'"' -f2)"

if [ "$OLD_VERSION" = "$VERSION" ]; then
echo "dependabot is already up-to-date at $OLD_VERSION"
exit 0
fi

SHA256="$(nix-prefetch-url --quiet --unpack https://github.com/dependabot/cli/archive/refs/tags/v${VERSION}.tar.gz)"
HASH="$(nix hash convert --hash-algo sha256 --to sri "$SHA256")"

nix-prefetch-docker --json --quiet --final-image-name dependabot-update-job-proxy --final-image-tag "nixpkgs-dependabot-cli-$VERSION" ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy latest > "$temp_dir/dependabot-update-job-proxy.json"

nix-prefetch-docker --json --quiet --final-image-name dependabot-updater-github-actions --final-image-tag "nixpkgs-dependabot-cli-$VERSION" ghcr.io/dependabot/dependabot-updater-github-actions latest > "$temp_dir/dependabot-updater-github-actions.json"

setKV () {
sed -i "s,$1 = \"[^v].*\",$1 = \"${2:-}\"," ./package.nix
}

setKV version "${VERSION}"
setKV hash "${HASH}"
setKV updateJobProxy.imageDigest "$(jq -r .imageDigest "$temp_dir/dependabot-update-job-proxy.json")"
setKV updateJobProxy.hash "$(jq -r .hash "$temp_dir/dependabot-update-job-proxy.json")"
setKV updaterGitHubActions.imageDigest "$(jq -r .imageDigest "$temp_dir/dependabot-updater-github-actions.json")"
setKV updaterGitHubActions.hash "$(jq -r .hash "$temp_dir/dependabot-updater-github-actions.json")"

# We need to figure out the vendorHash for this new version, so we initially set it to `lib.fakeHash`
FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
setKV vendorHash "$FAKE_HASH"

set +e
VENDOR_HASH="$(nix-build --no-out-link --log-format internal-json -A dependabot-cli "$NIXPKGS_PATH" 2>&1 >/dev/null | grep "$FAKE_HASH" | grep -o "sha256-[^\\]*" | tail -1)"
set -e
setKV vendorHash "$VENDOR_HASH"
Loading