Keeping dependencies up to date is essential for security and maintainability—but manually managing updates across multiple docker-compose.yml files in a project can be tedious. In this post, I’ll show you a small Bash script I wrote to automate the generation of a dependabot.yml file. It scans your repo for all Docker Compose files and configures Dependabot to check them for updates monthly. It’s lightweight, efficient, and ensures you never miss a patch. Let’s dive in. We will automate the updating the dependabot.yml with Github Actions.
What is dependabot?
Dependabot is a built-in GitHub tool that automatically checks your project dependencies for updates. It can open pull requests when new versions of your dependencies are available - helping you stay secure and up to date with minimal effort. For Docker Compose projects, it monitors container image tags and notifies you when a newer version is published.
Create generate-dependabot.sh
In the top level of your directory, create a script file to generate dependabot.yml:
1nano generate-dependabot.shPaste the following content into the file:
1#!/bin/bash
2
3# Script to generate or update dependabot.yml based on docker-compose.yml files
4# Usage: ./generate-dependabot.sh
5
6# Colors for output
7RED='\033[0;31m'
8GREEN='\033[0;32m'
9YELLOW='\033[1;33m'
10BLUE='\033[0;34m'
11NC='\033[0m' # No Color
12
13# Function to print colored output
14print_status() {
15 echo -e "${BLUE}[INFO]${NC} $1"
16}
17
18print_success() {
19 echo -e "${GREEN}[SUCCESS]${NC} $1"
20}
21
22print_warning() {
23 echo -e "${YELLOW}[WARNING]${NC} $1"
24}
25
26print_error() {
27 echo -e "${RED}[ERROR]${NC} $1"
28}
29
30print_status "Starting dependabot.yml generation..."
31
32mkdir -p .github
33
34tmpfile=$(mktemp)
35trap 'rm -f "$tmpfile"' EXIT
36
37# Header
38cat > "$tmpfile" <<'YAML'
39version: 2
40updates:
41 - package-ecosystem: "docker-compose"
42 directories:
43YAML
44
45# Find and sort all docker-compose.yml directories
46print_status "Scanning for docker-compose.yml files..."
47
48found_directories=0
49while IFS= read -r file; do
50 dir=$(dirname "$file" | sed 's|^\./||')
51 print_status "Found compose file in: $dir"
52 echo " - \"/$dir\"" >> "$tmpfile"
53 ((found_directories++))
54done < <(find . -name "docker-compose.yml" -type f | sort)
55
56if [[ $found_directories -eq 0 ]]; then
57 print_warning "No docker-compose.yml files found"
58 exit 0
59fi
60
61# Append the schedule block
62cat >> "$tmpfile" <<'YAML'
63 schedule:
64 interval: "daily"
65YAML
66
67# Install if changed
68if ! [ -f .github/dependabot.yml ] || ! cmp -s "$tmpfile" .github/dependabot.yml; then
69 mv "$tmpfile" .github/dependabot.yml
70 print_success "Updated .github/dependabot.yml!"
71 print_status "Found $found_directories directories with compose files"
72else
73 print_status "No changes to .github/dependabot.yml"
74 print_status "Found $found_directories directories with compose files"
75fi
76
77print_success "Dependabot configuration generation completed!"Make the script executable:
1chmod +x generate-dependabot.shWhen you run the script using ./generate-dependabot.sh, it will create (or update) the .github/dependabot.yml file with a list of all directories containing docker-compose.yml files. Commit this file to your Git repository — Dependabot will then automatically check for updated Docker image versions every month and open a pull request if any updates are found.
You can change the interval to weekly or daily if you prefer.
Github Actions
To keep your dependabot.yml up to date automatically, we can use a GitHub Action. Instead of manually running the script every time something is changed , this workflow will run the script above on every push to the repository and creates a pull request when an update is needed. It ensures your configuration always reflects the current state of your project - hands-free.
Create the workflow file
Create a file at .github/workflows/update-dependabot.yml:
1name: Update Dependabot Config
2
3on:
4 push:
5 branches:
6 - master
7 - main
8 paths-ignore:
9 - '.github/dependabot.yml'
10
11 workflow_dispatch:
12
13permissions:
14 contents: write
15 pull-requests: write
16
17jobs:
18 update:
19 runs-on: ubuntu-latest
20
21 steps:
22 - name: Checkout repo
23 uses: actions/checkout@v4
24
25 - name: Generate dependabot.yml
26 run: ./generate-dependabot.sh
27
28 - name: Create Pull Request
29 uses: peter-evans/create-pull-request@v6
30 with:
31 commit-message: "chore: update dependabot.yml [automated]"
32 title: "Chore: Update dependabot.yml"
33 body: |
34 This PR was automatically generated by a GitHub Action to update the `.github/dependabot.yml` file.
35 branch: "chore/update-dependabot-config"
36 delete-branch: true
37 labels: |
38 dependenciesMake sure GitHub Actions has permission to create pull requests.
Go to Settings → Actions → General → Workflow permissions, and ensure “Read and write permissions” is selected. As well as Allow GitHub Actions to create and approve pull requests is checked.
You can still manually update the dependabot.yml file at any time by running the script as described above. This is useful if you want to quickly regenerate the configuration without waiting for GitHub Actions to trigger. Just remember to commit the updated file so Dependabot can pick it up.
With this setup, you can keep your Docker Compose dependencies up to date effortlessly — and ensure your dependabot.yml file stays in sync as your project evolves. It’s a small automation that saves time, prevents surprises, and helps keep your stack secure. Happy automating! 🚀
If you’re interested in more GitHub Actions tips, check out my post on Automating Cloudflare Pages deployments with GitHub Actions.
