UNPKG

@paklo/cli

Version:

A powerful CLI tool for running Dependabot updates against Azure DevOps repositories from anywhere - your local machine, CI/CD pipelines, or any environment with Docker support.

github.com/mburumaxwell/dependabot-azure-devops

mburumaxwell/dependabot-azure-devops

234 lines (163 loc) ā€¢ 6.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
# Paklo CLI A powerful CLI tool for running Dependabot updates against Azure DevOps repositories from anywhere - your local machine, CI/CD pipelines, or any environment with Docker support. ## Why Paklo? Unlike GitHub's hosted Dependabot service, Azure DevOps repositories need a different approach for dependency updates. Paklo bridges this gap by providing: - **Local Development** - Test dependency updates on your machine before deploying - **CI/CD Integration** - Run updates in your existing pipelines with full control - **Anywhere Execution** - No dependency on specific hosting environments - **Full Compatibility** - Aims to be at feature parity with GitHub's hosted Dependabot - **Azure DevOps Native** - Built specifically for Azure DevOps repositories and workflows ## Installation **Requirements:** Node.js 22 or later and docker ```bash # Install globally npm install -g @paklo/cli # Or use with npx npx @paklo/cli --help ``` ## Quick Start ```bash # Validate your dependabot.yml configuration paklo validate --organisation-url https://dev.azure.com/my-org --project my-project --repository my-repo --git-token <TOKEN> # Run dependency updates locally paklo run --organisation-url https://dev.azure.com/my-org --project my-project --repository my-repo --git-token <TOKEN> # Clean up Docker resources paklo cleanup ``` ## Commands ### `validate` Validates your Dependabot configuration file against a repository. ```bash paklo validate --organisation-url <ORGANISATION-URL> --project <PROJECT> --repository <REPOSITORY> --git-token <TOKEN> ``` **Options:** - `--organisation-url <ORGANISATION-URL>` - Azure DevOps organization URL (e.g., `https://dev.azure.com/my-org`) (required) - `--project <PROJECT>` - Project name or ID (required) - `--repository <REPOSITORY>` - Repository name or ID (required) - `--git-token <TOKEN>` - Git access token (required) ### `run` Executes Dependabot updates locally with full control over the process. ```bash paklo run --organisation-url <ORGANISATION-URL> --project <PROJECT> --repository <REPOSITORY> [options] ``` **Key Options:** - `--organisation-url <ORGANISATION-URL>` - Azure DevOps organization URL (e.g., `https://dev.azure.com/my-org`) (required) - `--project <PROJECT>` - Project name or ID (required) - `--repository <REPOSITORY>` - Repository name or ID (required) - `--git-token <TOKEN>` - Git access token (required) - `--github-token <TOKEN>` - GitHub token to avoid rate limiting - `--out-dir <DIR>` - Working directory (default: `work`) - `--auto-approve` - Automatically approve pull requests - `--set-auto-complete` - Auto-complete PRs when policies are met - `--merge-strategy <STRATEGY>` - Merge strategy: `squash`, `rebase`, or `merge` - `--author-name <NAME>` - Git author name - `--author-email <EMAIL>` - Git author email - `--experiments <LIST>` - Comma-separated experiments to enable - `--updater-image <IMAGE>` - Custom updater Docker image - `--dry-run` - Run without making changes - `--debug` - Enable debug logging **Example:** ```bash paklo run --organisation-url https://dev.azure.com/contoso \ --project contoso-project \ --repository web-app \ --git-token $GIT_TOKEN \ --github-token $GITHUB_TOKEN \ --auto-approve \ --set-auto-complete \ --merge-strategy squash \ --experiments "record_ecosystem_versions,separate_major_minor_updates" ``` ### `cleanup` Removes old Docker images and containers used by Dependabot. ```bash paklo cleanup ``` ## Configuration Paklo works with standard `dependabot.yml` files. Place your configuration at `.github/dependabot.yml` in your repository. **Example configuration:** ```yaml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" reviewers: - "my-team" assignees: - "dependabot-assignee" ``` When your `dependabot.yml` contains variable placeholders (like `$NPM_TOKEN`), Paklo will prompt you to provide values during execution or read them from environment variables. ### Private Registries Configure private registries in your `dependabot.yml`: ```yaml version: 2 registries: private-npm: type: npm-registry url: https://npm.example.com token: $NPM_TOKEN updates: - package-ecosystem: "npm" directory: "/" registries: - private-npm schedule: interval: "weekly" ``` ## Advanced Usage ### Custom Experiments Enable Dependabot experiments to test new features: ```bash paklo run ... --experiments "record_ecosystem_versions,separate_major_minor_updates" ``` ### Custom Updater Images Use a specific Dependabot updater image: ```bash paklo run ... --updater-image "ghcr.io/dependabot/dependabot-updater-{ecosystem}:latest" ``` ### Targeting Specific Updates Run only specific update configurations: ```bash paklo run ... --target-update-ids 1,3,5 ``` ### Security Advisories Provide a custom security advisories file: ```bash paklo run ... --security-advisories-file ./advisories.json ``` ## Ecosystem Support Paklo aims to maintain feature parity with GitHub's hosted Dependabot service, supporting all available package ecosystems including npm, NuGet, Maven, Bundler, pip, Composer, Go modules, Cargo, Docker, GitHub Actions, Terraform, and more. ## Troubleshooting ### Common Issues **Rate limiting:** Use `--github-token` to avoid GitHub API rate limits. **Docker issues:** Run `paklo cleanup` to remove old containers and images. **Authentication:** Ensure your git token has appropriate permissions for the repository. **Network issues:** Check that your environment can access both Azure DevOps and external package registries. ### Debug Mode Enable detailed logging: ```bash paklo run ... --debug ``` ## Integration ### CI/CD Pipelines Paklo can be integrated into CI/CD pipelines for testing dependency updates: ```yaml # Azure Pipelines example - script: | npm install -g @paklo/cli paklo validate --organisation-url $(System.TeamFoundationCollectionUri) --project $(System.TeamProject) --repository $(Build.Repository.Name) --git-token $(System.AccessToken) displayName: 'Validate Dependabot Config' ``` ### Docker Run Paklo in a containerized environment: ```dockerfile FROM node:22-alpine RUN npm install -g @paklo/cli WORKDIR /app CMD ["paklo", "--help"] ``` ## Contributing, License & Support For contributing guidelines, license information, bug reports, and support: šŸ‘‰ **Visit the main project repository:** [dependabot-azure-devops](https://github.com/mburumaxwell/dependabot-azure-devops)