dependabot-core
dependabot-core copied to clipboard
dependabot
Support for Docker compose files
From @armin-joellenbeck on December 23, 2017 9:21
Knowing when new Docker images are published would be helpful when the are used in a Docker compose file too.
Just like #20, with the file docker-compose.yml instead of Dockerfile.
Copied from original issue: dependabot/feedback#66
👍 for this, and should be relatively straightforward. A couple of things I want to get to first, but I'm definitely game for adding this to Dependabot at some point!
Hi, This would be a really good addition, is this still going to happen someday ?
Thanks in advance
I hope so, yes! This is another one that @hmarr owns on our side, but he's very busy scaling Dependabot up to 100m repos!
Instead of just hardcoding the docker-compose.yml filename it should be possible to specify a file mask or explicit list of files to check within the project.
Are there any plans to finish the feature similar to what Renovate has?
There are any plan to add this?
We don't have any plans to add support in the near future. Eventually we'd love to support it, but currently our team doesn't have any capacity to work on this or even properly review and maintain a community contribution for this
This issue was created almost 3 years ago and there seems no progress so far, but Renovate may be a solution until it's finally available in dependabot.
Hopefully we may see support for docker-compose.yml files one day :monocle_face:
@jurre Any luck so far? slightly_smiling_face
Btw Renovate works perfectly for docker-compose.yml too :wink:
Renovate seems like a seriously powerful Dependabot alternative, though I wasn't thrilled with its self-hosted/GitHub Actions support, and I wanted to see how to do this with Dependabot directly.
This is possible through a workaround as Dependabot can update Dockerfiles.
To have Dependabot manage the images in a docker-compose configuration, simply:
- Create a new subdirectory in your repository where you'd like to manage these images. I will use
docker/ - Create a Dockerfile for each of the services' images (use
buildinstead ofimagein each service) - Configure your
.github/dependabot.ymlto check fordockerupdates
Example
docker-compose.yml
---
version: '3'
services:
pyvista:
build:
context: ./docker
dockerfile: pyvista.Dockerfile
ports:
- 8080:8080
docker/pyvista.Dockerfile
---
FROM ghcr.io/pyvista/pyvista:v0.33.2
.github/dependabot.yml
---
version: 2
updates:
- package-ecosystem: "docker"
directory: "docker"
schedule:
interval: "daily"
labels:
- "dependencies"
Then, you will see Dependabot bump that image/service directly in the Dockerfile
Demo in https://github.com/banesullivan/test-actions/pull/15 and example in https://github.com/banesullivan/test-actions/tree/1c7b0d3eab0e1a3b1da88153d0427a9b9442a726
This is possible through a workaround as Dependabot can update Dockerfiles.
I think the goal should be to update a docker-compose.yml file directly without having to create (and maintain) additional Dockerfiles.
Even if Dependabot can update Dockerfiles it still cannot update docker-compose.yml files as of now (and this what this issue is about).
Even if Dependabot can update Dockerfiles it still cannot update docker-compose.yml files as of now (and this what this issue is about).
Exactly. I needed to have this working recently regardless of the state of this issue as it's clear in the thread above that this isn't changing anytime soon. Take my post above as merely a workaround with the current state of Dependabot for those who need something more immediately without switching to a different toolkit altogether.
I look forward to this one day being addressed in full.
I think the goal should be to update a docker-compose.yml file directly without having to create (and maintain) additional Dockerfiles.
Even if Dependabot can update Dockerfiles it still cannot update docker-compose.yml files as of now (and this what this issue is about).
+1. I just landed here after getting this exact issue working in Renovate.
For the work around also note you need to run a docker compose build before you actually on the newer image. You can run a docker compose up --build as a fallback. But we actually use a docker compose run which does not have the build flag.
would be awesome to have this feature
i was wondering why its not working as it seems to be possible and its very common.
To provide a little more clarity here, this is something I'd personally like to see us eventually support. However, Docker as an ecosystem is complicated because there's a lot of places that folks want us to bump docker images, see examples here:
- https://github.com/dependabot/dependabot-core/issues/7189
Although we shipped support for bumping docker image tags in k8s config files, I personally feel that was a bit of a mistake--I've already seen places in the code where we have to guess "is it a k8s file?" and we don't always get that right... so before we add support for bumping docker image tags in more places, I'd much rather see us cleanup how users can specify which type of language files they want us to bump docker images in.
So I think #7189 or a variant of it is what's needed to unblock this (as well as the other types of files users want to be able to bump docker image tags).
We know that the current config file schema has some limitations, and while nothing is currently planned, it is a topic we'd like to re-examine in the not too distant future.
but aren't Docker Compose files supposed to conform to docker-compose(\..+)?\.ya?ml? Even if not everyone is using them that way, if at least the base standard for Docker Compose files is implemented that's at least something? Then any future work to ensure file targeting is configurable can simply build on what's already there, rather than excluding Compose files indefinitely until the nirvana can be reached.
but aren't Docker Compose files supposed to conform to
docker-compose(\..+)?\.ya?ml?
Not exactly. Since Compose v2, compose.yaml is preferred. Renovate uses (^|/)(?:docker-)?compose[^/]*\.ya?ml$.
But yes, this is pretty much how compose files can be found.
I made this a few months ago as a workaround until is supported by dependabot. https://github.com/sbe-arg/simple-compose-service-updates in case anyone is interested
I made this a few months ago as a workaround until is supported by dependabot. https://github.com/sbe-arg/simple-compose-service-updates in case anyone is interested
Looks interesting, but these two points sounds too limiting: "compose files must be on your repo root" (complex projects often have several compose files in different dirs) and "requires full registry including default docker.io/…" (no one name images from default registry this way in compose files and requiring this won't work because people will forget to do this because compose itself will work without this and only updates will be broken which is much harder to notice).
The compose file locations is a very easy fix, noone has requested a path var or a full scan of yaml files in all subdirectories.
The registry names is harder although for docker hub it can be mocked, other registries always have to be specified.
Open issues and ill try to address them. Thats the normal process for open sourcing.
any update?
👍 for this, and should be relatively straightforward. A couple of things I want to get to first, but I'm definitely game for adding this to Dependabot at some point!
Any temporary solution
@AliMD, I recommend reading through all of the above comments for a few different workarounds. My comment above is, in my opinion, a fairly robust workaround: https://github.com/dependabot/dependabot-core/issues/390#issuecomment-1062170379
Here's a pointer to the Renovate code that could jump-start a Developer in to making this work on Dependabot.
