Azure DevOps Extension
Complete guide for using, troubleshooting, and developing the Azure DevOps extension.
The Azure DevOps extension allows you to run Dependabot updates directly in your Azure Pipelines. This runs Dependabot in your pipeline agents using Docker containers.
Installation
Install the extension from the Visual Studio Marketplace.
Quick Start
Create a pipeline with the dependabot@2 task:
trigger: none # Disable CI trigger
schedules:
- cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
always: true # Run even when there are no code changes
branches:
include:
- main
batch: true
displayName: Weekly Dependabot
pool:
vmImage: 'ubuntu-latest' # Requires macOS or Ubuntu (Windows is not supported)
steps:
- task: dependabot@2
inputs:
mergeStrategy: 'squash'Requirements
The task requires:
Microsoft-hosted agents like ubuntu-latest include all requirements.
For private or self-hosted agents, ensure Node.js 24 is available. You can use the UseNode@1 task to install the required Node.js version:
pool:
name: 'MyPrivateAgentPool'
steps:
- task: UseNode@1
displayName: 'Install Node.js 24'
inputs:
version: '24.x'
- task: dependabot@2Configuration File
Create a dependabot.yml file at .github/dependabot.yml or .azuredevops/dependabot.yml:
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'weekly'See Configuration for all options.
Task Parameters
Basic Parameters
| Input | Description | Default |
|---|---|---|
dryRun | Test logic without creating/updating PRs | false |
setAutoComplete | Enable auto-complete on created PRs | false |
mergeStrategy | Merge strategy: squash, rebase, merge | squash |
autoApprove | Automatically approve created PRs | false |
Authentication Parameters
| Input | Description |
|---|---|
azureDevOpsServiceConnection | Service connection for Azure DevOps access |
azureDevOpsAccessToken | PAT for Azure DevOps (alternative to service connection) |
gitHubConnection | GitHub service connection for rate limiting/security advisories |
gitHubAccessToken | GitHub PAT (alternative to GitHub connection) |
Required permissions for Azure DevOps PAT:
- Code (Full)
- Pull Requests Threads (Read & Write)
- Identity (Read) if you want to assign optional reviewers to PR's.
Customization Parameters
| Input | Description | Default |
|---|---|---|
authorEmail | Email for commit author | noreply@github.com |
authorName | Name for commit author | dependabot[bot] |
autoCompleteIgnoreConfigIds | Policy IDs to ignore for auto-complete | - |
autoApproveUserToken | PAT for auto-approval (different user) | - |
Advanced Parameters
| Input | Description |
|---|---|
targetProjectName | Target project (for multi-project pipelines) |
targetRepositoryName | Target repository (for multi-repo pipelines) |
targetUpdateIds | Semicolon-separated update IDs to run |
experiments | Comma-separated Dependabot experiments |
dependabotUpdaterImage | Custom updater Docker image |
dependabotCliApiListeningPort | Fixed port for Dependabot CLI API |
Examples
Auto-Complete with Squash Merge
- task: dependabot@2
inputs:
setAutoComplete: true
mergeStrategy: 'squash'
autoCompleteIgnoreConfigIds: '1,2' # Ignore optional policiesAuto-Approve with Different User
variables:
APPROVER_PAT: $(ApproverPersonalAccessToken)
steps:
- task: dependabot@2
inputs:
autoApprove: true
autoApproveUserToken: $(APPROVER_PAT)Using Service Connection
- task: dependabot@2
inputs:
azureDevOpsServiceConnection: 'my-service-connection'
gitHubConnection: 'github-connection'Security-Only Updates
# dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0 # Security-only
# Pipeline
- task: dependabot@2
inputs:
gitHubAccessToken: $(GITHUB_TOKEN) # Required for security advisoriesMulti-Repository Pipeline
steps:
- task: dependabot@2
displayName: 'Update repo-1'
inputs:
targetProjectName: 'my-project'
targetRepositoryName: 'repo-1'
- task: dependabot@2
displayName: 'Update repo-2'
inputs:
targetProjectName: 'my-project'
targetRepositoryName: 'repo-2'Custom Experiments
- task: dependabot@2
inputs:
experiments: 'tidy=true,vendor=true,goprivate=*'See Experiments for usage patterns.
Fetch Metadata Task
Use DependabotFetchMetadata@1 in a pull request validation pipeline to read metadata from a pull request created by the main dependabot@2 task.
steps:
- task: DependabotFetchMetadata@1
name: metadata
condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
- script: |
echo "Dependencies: $(metadata.dependencyNames)"
echo "Package ecosystem: $(metadata.packageEcosystem)"
echo "Update type: $(metadata.updateType)"
condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))The task requires System.PullRequest.PullRequestId, so it fails when it is not running in the context of a pull request. If the pipeline can also run for non-PR reasons, guard the task with eq(variables['Build.Reason'], 'PullRequest'). Authentication uses the current SystemVssConnection by default, or the optional azureDevOpsServiceConnection / azureDevOpsAccessToken inputs.
Fetch Metadata Parameters
| Input | Description |
|---|---|
azureDevOpsServiceConnection | Service connection for Azure DevOps access. Use this when you want a different identity from the current build service identity. |
azureDevOpsAccessToken | PAT for Azure DevOps access. Use this in place of azureDevOpsServiceConnection when a service connection is not available. |
Fetch Metadata Outputs
| Output | Description |
|---|---|
dependencyNames | A comma-separated list of all package names updated. |
dependencyType | The dependency type, when known. |
updateType | The highest semver change being made by this PR, when known. |
updatedDependenciesJson | A JSON string containing information about each updated dependency. |
directory | The directory for the first updated dependency. |
packageEcosystem | The package ecosystem for this updated dependency. |
targetBranch | The pull request target branch. |
previousVersion | The previous version for the first updated dependency, when known. |
newVersion | The new version for the first updated dependency. |
compatibilityScore | The compatibility score, when known. |
maintainerChanges | Whether the pull request body contains Maintainer changes. |
dependencyGroup | The dependency group that the PR is associated with. |
ghsaId | The GHSA ID, when known. |
cvss | The CVSS value, when known. |
Scheduling
Since the schedule in dependabot.yml is not used (required for schema conformity only), use Azure Pipelines scheduled triggers:
schedules:
# Daily at 2 AM UTC
- cron: '0 2 * * *'
displayName: Daily Dependabot
branches:
include:
- main
always: true
# Weekly on Monday at 8 AM UTC
- cron: '0 8 * * 1'
displayName: Weekly Dependabot
branches:
include:
- develop
always: trueTroubleshooting issues
Dependabot will log more diagnostic information when verbose logs are enabled; i.e. System.Debug variable is set to true.
When sharing pipeline logs, please be aware that the task log contains potentially sensitive information such as your DevOps organization name, project names, repository names, private package feeds URLs, list of used dependency names/versions, and the contents of any dependency files that are updated (e.g. package.json, *.csproj, etc). The Flame Graph report does not contain any sensitive information about your DevOps environment.
To mask environment secrets from the task log, set the System.Secrets variable to true in your pipeline.
How is this guide?
Last updated on