Azure DevOps Extension
Complete guide for using, troubleshooting, and developing the Azure DevOps extension.
The Azure DevOps extension allows you to run Dependabot updates directly in your Azure Pipelines. This runs Dependabot in your pipeline agents using Docker containers.
Installation
Install the extension from the Visual Studio Marketplace.
Quick Start
Create a pipeline with the dependabot@2 task:
trigger: none # Disable CI trigger
schedules:
- cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
always: true # Run even when there are no code changes
branches:
include:
- main
batch: true
displayName: Weekly Dependabot
pool:
vmImage: 'ubuntu-latest' # Requires macOS or Ubuntu (Windows is not supported)
steps:
- task: dependabot@2
inputs:
mergeStrategy: 'squash'Requirements
The task requires:
- Docker with Linux containers
Microsoft-hosted agents like ubuntu-latest include all requirements.
Configuration File
Create a dependabot.yml file at .github/dependabot.yml or .azuredevops/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"See Configuration for all options.
Task Parameters
Basic Parameters
| Input | Description | Default |
|---|---|---|
dryRun | Test logic without creating/updating PRs | false |
setAutoComplete | Enable auto-complete on created PRs | false |
mergeStrategy | Merge strategy: squash, rebase, merge | squash |
autoApprove | Automatically approve created PRs | false |
Authentication Parameters
| Input | Description |
|---|---|
azureDevOpsServiceConnection | Service connection for Azure DevOps access |
azureDevOpsAccessToken | PAT for Azure DevOps (alternative to service connection) |
gitHubConnection | GitHub service connection for rate limiting/security advisories |
gitHubAccessToken | GitHub PAT (alternative to GitHub connection) |
Required permissions for Azure DevOps PAT:
- Code (Full)
- Pull Requests Threads (Read & Write)
Customization Parameters
| Input | Description | Default |
|---|---|---|
authorEmail | Email for commit author | noreply@github.com |
authorName | Name for commit author | dependabot[bot] |
autoCompleteIgnoreConfigIds | Policy IDs to ignore for auto-complete | - |
autoApproveUserToken | PAT for auto-approval (different user) | - |
Advanced Parameters
| Input | Description |
|---|---|
targetProjectName | Target project (for multi-project pipelines) |
targetRepositoryName | Target repository (for multi-repo pipelines) |
targetUpdateIds | Semicolon-separated update IDs to run |
experiments | Comma-separated Dependabot experiments |
dependabotUpdaterImage | Custom updater Docker image |
dependabotCliApiListeningPort | Fixed port for Dependabot CLI API |
Examples
Auto-Complete with Squash Merge
- task: dependabot@2
inputs:
setAutoComplete: true
mergeStrategy: 'squash'
autoCompleteIgnoreConfigIds: '1,2' # Ignore optional policiesAuto-Approve with Different User
variables:
APPROVER_PAT: $(ApproverPersonalAccessToken)
steps:
- task: dependabot@2
inputs:
autoApprove: true
autoApproveUserToken: $(APPROVER_PAT)Using Service Connection
- task: dependabot@2
inputs:
azureDevOpsServiceConnection: 'my-service-connection'
gitHubConnection: 'github-connection'Security-Only Updates
# dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0 # Security-only
# Pipeline
- task: dependabot@2
inputs:
gitHubAccessToken: $(GITHUB_TOKEN) # Required for security advisoriesMulti-Repository Pipeline
steps:
- task: dependabot@2
displayName: 'Update repo-1'
inputs:
targetProjectName: 'my-project'
targetRepositoryName: 'repo-1'
- task: dependabot@2
displayName: 'Update repo-2'
inputs:
targetProjectName: 'my-project'
targetRepositoryName: 'repo-2'Custom Experiments
- task: dependabot@2
inputs:
experiments: 'tidy=true,vendor=true,goprivate=*'See Experiments for usage patterns.
Scheduling
Since the schedule in dependabot.yml is not used (required for schema conformity only), use Azure Pipelines scheduled triggers:
schedules:
# Daily at 2 AM UTC
- cron: '0 2 * * *'
displayName: Daily Dependabot
branches:
include:
- main
always: true
# Weekly on Monday at 8 AM UTC
- cron: '0 8 * * 1'
displayName: Weekly Dependabot
branches:
include:
- develop
always: trueTroubleshooting issues
Dependabot will log more diagnostic information when verbose logs are enabled; i.e. System.Debug variable is set to true.
When sharing pipeline logs, please be aware that the task log contains potentially sensitive information such as your DevOps organization name, project names, repository names, private package feeds URLs, list of used dependency names/versions, and the contents of any dependency files that are updated (e.g. package.json, *.csproj, etc). The Flame Graph report does not contain any sensitive information about your DevOps environment.
To mask environment secrets from the task log, set the System.Secrets variable to true in your pipeline.
How is this guide?
Last updated on