Dependabot Demo - NestJS Application

This project demonstrates how Dependabot can manage dependencies beyond just npm packages, including GitHub Actions, Docker images, and Kubernetes manifests.

What is Dependabot Monitoring?

This repository is configured to have Dependabot automatically monitor and update:

1. npm Dependencies 📦

• Package dependencies in package.json
• Dependabot will create PRs when new versions are available
• Example: @nestjs/core, @nestjs/platform-express, rxjs, etc.

2. GitHub Actions 🔄

• GitHub Actions versions in .github/workflows/ci-cd.yaml
• Monitors actions like:
  • actions/checkout@v4
  • actions/setup-node@v4
  • docker/setup-buildx-action@v3
  • docker/login-action@v3
  • docker/metadata-action@v5
  • docker/build-push-action@v5
  • azure/setup-kubectl@v3

3. Docker Base Images 🐳

• Base images in Dockerfile
• Monitors: node:20-alpine
• Dependabot will suggest updates when new Node.js versions or security patches are available

4. Kubernetes Manifests ☸️

• While Dependabot doesn't directly update Kubernetes YAML values, it monitors the Docker images referenced
• Located in k8s/deployment.yaml and k8s/service.yaml

5. DevContainer 🛠️

• Development container configuration in .devcontainer/
• Monitors base images in .devcontainer/Dockerfile
• Base image: node:20-bullseye
• Includes development tools: kubectl, Docker CLI, NestJS CLI
• Provides consistent development environment across all contributors

Project Structure

.
├── .devcontainer/
│   ├── Dockerfile               # Development container image
│   ├── devcontainer.json        # VS Code devcontainer config
│   └── README.md                # Devcontainer documentation
├── .github/
│   ├── dependabot.yml          # Dependabot configuration
│   └── workflows/
│       └── ci-cd.yaml           # GitHub Actions pipeline
├── k8s/
│   ├── deployment.yaml          # Kubernetes deployment manifest
│   └── service.yaml             # Kubernetes service manifest
├── slides/
│   ├── slides.md                # Slidev presentation (Norwegian)
│   └── exports/                 # Exported PDF presentations
├── src/
│   ├── app.controller.ts
│   ├── app.module.ts
│   ├── app.service.ts
│   └── main.ts
├── Dockerfile                   # Multi-stage Docker build
├── .dockerignore
└── package.json

Dependabot Configuration

The .github/dependabot.yml file configures four package ecosystems:

version: 2
updates:
  - package-ecosystem: "npm"            # npm dependencies with grouping
  - package-ecosystem: "github-actions" # GitHub Actions versions
  - package-ecosystem: "docker"         # Docker base images (main app)
  - package-ecosystem: "docker"         # Docker base images (devcontainer)

Key Features:

• Package Grouping: Related npm packages grouped together (NestJS, testing, TypeScript)
• Multiple Directories: Separate Docker monitoring for app and devcontainer
• Daily Updates: All ecosystems checked daily
• Custom Labels: PRs automatically labeled by ecosystem

How to Use This Demo

0. Using DevContainer (Recommended)

The easiest way to get started is using the devcontainer:

In VS Code:

# Install "Dev Containers" extension
# Open this project in VS Code
# Click "Reopen in Container" when prompted
# Everything is configured automatically!

In GitHub Codespaces:

# Click "Code" → "Codespaces" → "New codespace"
# Your environment is ready in seconds

1. Local Development

# Install dependencies
npm install

# Run in development mode
npm run start:dev

# Run tests
npm run test

# Run e2e tests
npm run test:e2e

2. Docker Build

# Build the Docker image
docker build -t nestjs-app:latest .

# Run the container
docker run -p 3000:3000 nestjs-app:latest

3. Kubernetes Deployment

# Apply Kubernetes manifests
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml

# Check deployment status
kubectl rollout status deployment/nestjs-app

# Get service information
kubectl get service nestjs-app-service

4. CI/CD Pipeline

The GitHub Actions workflow (.github/workflows/ci-cd.yaml) includes:

• Test Job: Linting, unit tests, and e2e tests
• Build Job: Docker image build and push
• Deploy Job: Kubernetes deployment (on main branch)

5. View Presentation

A Norwegian presentation about Dependabot is included using Slidev:

# Run the presentation in your browser
npm run slides

# Build static version
npm run slides:build

# Export to PDF (requires Playwright)
npm run slides:export

The presentation covers:

• Slide 1: What is Dependabot?
• Slide 2: How Dependabot helps developers

Automatic PDF Export: When slides/slides.md is updated on the main branch, a GitHub Actions workflow automatically exports the presentation to PDF and saves it in the slides/exports/ folder.

Dependabot in Action

Once this repository is pushed to GitHub, Dependabot will:

1. Scan weekly for updates (configured in dependabot.yml)
2. Create pull requests when updates are found
3. Label PRs appropriately (e.g., dependencies, npm, docker, github-actions)
4. Group related updates when possible
5. Run CI checks on the PRs automatically

Example PRs Dependabot Might Create:

• "Bump @nestjs/core from 10.0.0 to 10.1.0"
• "Bump actions/checkout from 4.0.0 to 4.1.0"
• "Bump node from 20-alpine to 21-alpine in Dockerfile"

Benefits

• Security: Automatically update dependencies with security vulnerabilities
• Maintenance: Keep dependencies up-to-date without manual effort
• Consistency: Standardized update process across npm, Docker, and GitHub Actions
• Visibility: PRs provide clear changelog and release notes

Setup for Your Own Repository

1. Copy .github/dependabot.yml to your repository
2. Customize the schedule, labels, and open-pull-requests-limit as needed
3. Push to GitHub - Dependabot will start automatically!

Resources

• Dependabot Documentation
• NestJS Documentation
• GitHub Actions Documentation
• Kubernetes Documentation

License

MIT