Dependabot doesn't directly support Clojure projects, but it is possible to send the dependencies list to Dependabot through GitHub Submission API.
This GitHub Action looks for all project.clj and deps.edn in the repository and sends the list of dependencies (both primary dependencies and transitive dependencies) to Dependabot. If enabled, it can open pull-requests to update packages.
Maintainers: ☁️ Pitch Cloud Engineering Team (https://www.pitch.com)
The Action requires the following environment variables to run the maven-dependency-submission-action CLI and GitHub CLI to list GitHub Security Alerts (GHSA) and to create auto-pull-requests for dependencies updates. Both a Personal Access Token (PAT) and GitHub Token (github.token) are required: the Action needs a PAT because GitHub Token cannot be used to list security alerts for security reasons ("Granting access to security alerts"), and the Action cannot open pull-requests as github-actions (bot) if it doesn't use the GitHub Token.
- GitHub Personal Access Token to run GitHub CLI (recommended privileges:
repo:all) github.tokengithub.repositorygithub.refgithub.shagithub.workspace
name: Dependabot for Clojure
on:
workflow_dispatch:
env:
GITHUB_PAT: ${{ secrets.PAT }}
GITHUB_TOKEN: ${{ github.token }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF: ${{ github.ref }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_WORKSPACE: ${{ github.workspace }}
jobs:
dependabot:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependabot for Clojure
uses: pitch-io/clojure-dependabot@main
with:
labels: "third-party,bug"
reviewers: "luigigubello"
directory: "foo/bar"
See actions.yml for more details on each option.
This project is configured to use asdf to manage its environment.
You can run the code in the production Docker container with ./scripts/docker.sh or locally with ./scripts/local.sh.
You will need to set environment variables for these scripts to run.
You can look at the source code, or run them and they will raise errors and tell you what variables to set.
NOTE: Running the these scripts will communicate with the GitHub API and will manage tickets and PRs. If this is not desirable, you will need to set up a dummy repo to test against.
Test your changes by running:
bb test:bbIf you find a security vulnerability, please report it privately at [email protected].