diff --git a/Resources/public/img/docs/articles/dependabot-configure.png b/Resources/public/img/docs/articles/dependabot-configure.png index ac375dc2..795af13d 100644 Binary files a/Resources/public/img/docs/articles/dependabot-configure.png and b/Resources/public/img/docs/articles/dependabot-configure.png differ diff --git a/Resources/public/img/docs/articles/dependabot-insights.png b/Resources/public/img/docs/articles/dependabot-insights.png index 5ea34f4a..a9701f70 100644 Binary files a/Resources/public/img/docs/articles/dependabot-insights.png and b/Resources/public/img/docs/articles/dependabot-insights.png differ diff --git a/Resources/public/img/docs/articles/dependabot-jobs.png b/Resources/public/img/docs/articles/dependabot-jobs.png index 849aa9de..5ad48075 100644 Binary files a/Resources/public/img/docs/articles/dependabot-jobs.png and b/Resources/public/img/docs/articles/dependabot-jobs.png differ diff --git a/Resources/public/img/docs/articles/dependabot-secret.png b/Resources/public/img/docs/articles/dependabot-secret.png index ad346c79..8e69fb55 100644 Binary files a/Resources/public/img/docs/articles/dependabot-secret.png and b/Resources/public/img/docs/articles/dependabot-secret.png differ diff --git a/docs/dependabot-for-private-packagist.md b/docs/dependabot-for-private-packagist.md index 68631fde..3b949141 100644 --- a/docs/dependabot-for-private-packagist.md +++ b/docs/dependabot-for-private-packagist.md @@ -1,19 +1,20 @@ -# Set up dependabot with Private Packagist +# Set up Dependabot with Private Packagist ## -[Dependabot](https://dependabot.com) is a security feature from GitHub, that analyses security issues in one of your dependencies. The bot may create Pull Requests to update those dependencies automatically. +[Dependabot](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) informs you about vulnerabilities in the dependencies that you use in your repository and can automatically raise pull requests to keep your dependencies up-to-date. + +This guide explains how to configure and set up Dependabot if you want to use it for packages hosted on [Private Packagist](https://packagist.com) step by step. -You can use Dependabot to update your private packages hosted on packagist.com in your composer.lock file via Pull Requests as well. This guide explains how to configure and set up Dependabot if you want to use it with Private Packagist step by step. ## Enable Dependabot in GitHub -Start in your GitHub repository and go to “Settings”. In the “Security” section of the sidebar go to “Code security and analysis”, where you can enable Dependabot. In the process, you will create a dependabot.yaml that should look like below. [Refer to this guide on GitHub, for the complete steps](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide#enabling-dependabot-for-your-repository) +Start in your GitHub repository and go to “Settings”. In the “Security” section of the sidebar go to “Code security and analysis”, where you can enable Dependabot. In the process, you will create a dependabot.yaml [as shown as below](#dependabotyaml). Follow [this guide on GitHub](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide#enabling-dependabot-for-your-repository) for the complete steps to enable Dependabot. ![enable dependabot](/Resources/public/img/docs/articles/dependabot-secret.png) -When you click on configure, the dependabot.yaml will be created for you (it will be placed in a folder .github). +When you click on configure, the dependabot.yaml will be created for you in the .github folder. -## dependabot.yaml +### dependabot.yaml A minimal Dependabot config file would look like this: @@ -36,7 +37,7 @@ registries: Replace the Composer URL `https://repo.packagist.com/acme/` with your own organization's Composer URL on packagist.com. In the example, the repository URL is for the organization on Private Packagist Cloud with the name `acme`. -To grant Dependabot access to the packages on Private Packagist, we need to provide the secret `PRIVATE_PACKAGIST_PASSWORD` in your GitHub repository. In Settings under the section “Security,” there is “Secrets and Variables” for Dependabot. +To grant Dependabot access to the packages on Private Packagist, you need to provide the secret `PRIVATE_PACKAGIST_PASSWORD` in your GitHub repository. In Settings under the section “Security,” there is “Secrets and Variables” for Dependabot. ![Dependabot Secrets](/Resources/public/img/docs/articles/dependabot-secret.png) @@ -52,6 +53,6 @@ There is a link “Recent update jobs”, that will show the last jobs from Depe ![Dependabot Jobs](/Resources/public/img/docs/articles/dependabot-jobs.png) -- Make sure, that the secret name, matches the one that you referenced in dependabot.yaml +- Make sure the secret name matches the one that you referenced in dependabot.yaml - Check if the token from Private Packagist is still valid and has not expired. -- the names under `updates[x].registries` must match a key for credentials in `registries` on the top level of the dependabot.yaml +- Make sure the names under `updates[x].registries` are matching a key for credentials in `registries` on the top level of the [dependabot.yaml](#dependabotyaml).