|
| 1 | +# Dependabot CLI — Copilot Instructions |
| 2 | + |
| 3 | +## Architecture Overview |
| 4 | + |
| 5 | +This is the **Dependabot CLI** (`dependabot`), a Go tool that orchestrates Dependabot update jobs via Docker containers. It does **not** perform dependency resolution itself — it coordinates three containers: |
| 6 | + |
| 7 | +1. **Proxy** (`ghcr.io/dependabot/proxy`) — intercepts all updater network traffic, injects credentials without exposing them to the updater, and optionally caches requests. |
| 8 | +2. **Updater** (`ghcr.io/dependabot/dependabot-updater-<ecosystem>`) — runs the actual dependency update logic (from [dependabot-core](https://github.com/dependabot/dependabot-core)). |
| 9 | +3. **Fake API server** (`internal/server/api.go`) — a local HTTP server that captures updater API calls (create PR, close PR, etc.) for output or test assertion. |
| 10 | + |
| 11 | +Data flow: CLI parses input → starts proxy + updater containers on isolated Docker networks → updater calls back to the fake API → CLI collects results as YAML. |
| 12 | + |
| 13 | +## Project Layout |
| 14 | + |
| 15 | +- `cmd/dependabot/` — entrypoint (`main`), delegates to `internal/cmd/` |
| 16 | +- `cmd/dependabot/internal/cmd/` — Cobra commands: `update`, `test`, `graph`, `version`, plus `root.go` for shared flags |
| 17 | +- `internal/infra/` — Docker container orchestration: `run.go` (main flow), `updater.go`, `proxy.go`, `network.go`, `config.go` |
| 18 | +- `internal/model/` — data types for jobs, credentials, smoke tests, API payloads. Shared across all packages. |
| 19 | +- `internal/server/` — fake API server (`api.go`) and secure input server (`input.go`) |
| 20 | +- `testdata/` — YAML fixtures and `scripts/*.txt` for scripttest-based integration tests |
| 21 | + |
| 22 | +## Key Conventions |
| 23 | + |
| 24 | +### YAML/JSON Model Tags |
| 25 | + |
| 26 | +Models use **kebab-case** YAML tags (`yaml:"package-manager"`) and matching JSON tags. When adding new fields: |
| 27 | + |
| 28 | +- Add `omitempty` initially to maintain backward compatibility with existing smoke tests |
| 29 | +- See the comment block at the top of `internal/model/job.go` for the full add/remove lifecycle |
| 30 | + |
| 31 | +### Command Pattern |
| 32 | + |
| 33 | +Each subcommand (`update`, `test`, `graph`) follows the same pattern: |
| 34 | + |
| 35 | +- Define a `NewXCommand() *cobra.Command` constructor |
| 36 | +- Call `infra.Run(infra.RunParams{...})` with appropriate parameters |
| 37 | +- Register via `init()` with `rootCmd.AddCommand()` |
| 38 | +- The `update` and `graph` commands share `extractInput()` and `processInput()` from `update.go` |
| 39 | + |
| 40 | +### Credentials Handling |
| 41 | + |
| 42 | +- `$`-prefixed values in YAML input are expanded from environment variables at runtime |
| 43 | +- `LOCAL_GITHUB_ACCESS_TOKEN` and `LOCAL_AZURE_ACCESS_TOKEN` are auto-injected into credentials when set |
| 44 | +- Credentials are **never** passed directly to the updater; they go through the proxy which injects them into outbound requests |
| 45 | +- `checkCredAccess()` in `run.go` blocks tokens with write access to GitHub API for security |
| 46 | + |
| 47 | +### Container Networking |
| 48 | + |
| 49 | +Two Docker bridge networks are created per run (`network.go`): |
| 50 | + |
| 51 | +- **no-internet** (internal) — updater can only reach the proxy |
| 52 | +- **internet** — proxy can reach external services |
| 53 | + |
| 54 | +The updater is connected only to no-internet; the proxy bridges both. |
| 55 | + |
| 56 | +## Build & Test |
| 57 | + |
| 58 | +```bash |
| 59 | +# Build |
| 60 | +go build ./cmd/dependabot |
| 61 | + |
| 62 | +# Run all unit tests |
| 63 | +go test ./... |
| 64 | + |
| 65 | +# Run script-based integration tests (require Docker) |
| 66 | +go test ./cmd/dependabot/ -count=1 |
| 67 | + |
| 68 | +# Run a specific script test by name pattern |
| 69 | +script/e2e <pattern> |
| 70 | + |
| 71 | +# Install from source |
| 72 | +go install github.com/dependabot/cli/cmd/dependabot@latest |
| 73 | +``` |
| 74 | + |
| 75 | +### Script Tests (`testdata/scripts/*.txt`) |
| 76 | + |
| 77 | +These use Go's `rsc.io/script` framework (see `cmd/dependabot/dependabot_test.go`). Each `.txt` file: |
| 78 | + |
| 79 | +- Builds a dummy Docker image inline (via `-- Dockerfile --` sections) |
| 80 | +- Runs `dependabot` commands and asserts on stdout/stderr |
| 81 | +- Uses `!` prefix for expected-failure commands |
| 82 | + |
| 83 | +### Test Mocking Pattern |
| 84 | + |
| 85 | +The `test` command uses a package-level `var executeTestJob = infra.Run` that tests override to capture `RunParams` without running Docker (see `test_test.go`). |
| 86 | + |
| 87 | +## Smoke Tests |
| 88 | + |
| 89 | +Smoke tests (`model.SmokeTest`) define **input + expected output** for reproducible update jobs: |
| 90 | + |
| 91 | +- `input:` — job definition + credentials |
| 92 | +- `output:` — array of expected API calls (`create_pull_request`, `update_dependency_list`, etc.) |
| 93 | +- Generate with: `dependabot update <pm> <repo> -o smoke-test.yml` |
| 94 | +- Run with: `dependabot test -f smoke-test.yml --cache ./tmp/cache` |
| 95 | +- The test runner auto-generates `ignore-conditions` to pin dependency versions for reproducibility |
| 96 | + |
| 97 | +## Package Manager Ecosystem Mapping |
| 98 | + |
| 99 | +The `packageManagerLookup` map in `internal/infra/run.go` maps package manager names (e.g., `go_modules`) to updater image suffixes (e.g., `gomod`). When adding ecosystem support, update this map. |
0 commit comments