CodeCommit has the following advantages over GitHub:
- Use IAM Roles to manage access to your repos
- Easily integrate into services such as CodeBuild and CodePipeline
- No longer worry about properly storing GitHub credentials in AWS
- Leverage Amazon CodeGuru Reviewer
- More cost-effective than GitHub (Github: $4 per user, CodeCommit: $1 per active user)
However you still want to leverage Dependabot for automated dependency updates.
- This repo is a fork of thegonch/dependabot-codecommit
- which is a fork of dependabot/dependabot-script
Why another fork?
- package as ruby gem
- separate CLI and SDK for separate use cases
- refactor code into a stateless Plain Old Ruby Object (PORO)
- replace optimist for standard library OptionParser
- be able to specify AWS profile
- add detailed logging
- add CloudFormation template to provision IAM Policy and AWS CodeBuild server
- create cool graphic
- write informative and opinionated Hashnode blog post
You will need to provide a Github Personal Access Token with full repo
access.
Even though your repo is hosted in CodeCommit, Dependabot is a Github service so you need to authenicate via a github account.
You will need to supply which package managers you want to scan:
- bundler (ruby)
- pip (python)
- npm_and_yarn (nodejs)
- maven (java)
- gradle (java)
- cargo (rust)
- hex (erland)
- composer (php)
- nuget (.NET)
- dep (Golang)
- go_modules (Golang)
- elm (Elm)
- submodules (git?)
- docker
- terraform
- github_actions
Create a new policy called DependabotCodeCommitPolicy
with the
following permissions (update the Resource ARNS based on your requirements)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:ListPullRequests",
"codecommit:BatchGetCommits",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetPullRequest",
"codecommit:GetRepository",
"codecommit:CreateBranch",
"codecommit:CreateCommit",
"codecommit:CreatePullRequest"
],
"Resource": [
"arn:aws:codecommit:us-east-1:123456789012:myreponame"
]
}
]
}
Attach this policy to the users or codebuild roles.
You want to use aws-vault to secure your AWS Credentials in your local development environment.
gem install dependabot-codecommit
dependabot-codecommit \
--repo-name my_code_commit \
--base_path '/' \
--branch main \
--github_access_token my-github-personal-access-token \
--aws_region us-east-1 \
--package_managers bundler,npm_and_yarn \
--logfile /tmp/dependabot.log \
--profile default
require 'dependabox-codecommit'
DependabotCodecommit::Runner.run({
repo_name: 'my_codecommit_repo',
base_path: '/',
branch: 'main',
github_access_token: 'my-github-personal-access-token',
aws_profile: 'default',
aws_region: 'us-east-1',
package_managers: ['bundler','npm_and_yarn'],
log_file: '/tmp/dependabot.log'
})
git clone git@github.com:teacherseat/dependabot-codecommit.git
cd dependabot-codecommit
bundle install
If you need to test the CLI locally
gem build dependabot-codecommit.gemspec
gem install --local dependabot-codecommit-1-0-0.gem
The bash script dependabot_helpers.sh
helps automate the installation of the Dependabot Native Helpers as described here.
It is currently designed to install all possible native helpers, which includes: Terraform, Python, Go (Dep & Modules), Elixir, PHP, JS
This also helps preserve your existing environment variables, including your PATH
.