Depfu for GitLab
If you’re using GitLab and were wondering if automated dependency updates could work for your team or project, I have good news for you: Depfu fully supports GitLab now!
Here are the details:
If you’re using gitlab.com
If you’re using any of the SaaS plans from GitLab, free or paid, you can now use Depfu by simply signing up, connecting with your GitLab account and selecting which repos you want to run on. Our login and signup lets you choose between GitLab or Github, like you’re used from other services.
Unfortuntely, similar to Github before they released Github Apps, the API permissions and scopes on GitLab are not as granular as we would like them to be for our use case. Here is what happens when you sign up with GitLab:
- You’re signing up with your personal user account. We don’t use your personal credentials to do anything but enabling and disabling repos you want Depfu to run on. Otherwise all of Depfu’s activity would show up as coming from you, which is super confusing and also ruins notifications for you.
- On all repos you have “Maintainer” permissions you can activate Depfu. When activating a repo, we add our bot-user account to that repo with “Developer” permissions. That means we can interact with the API to create branches and merge requests.
- We also install a webhook on that repo which reports a few events back to us. This way we can keep track of changes to your dependencies and you can interact with our merge requests using the @depfu bot commands.
- If you disable a repo, we uninstall the webhook and remove the bot-user.
We didn’t find a way to do this with less permissions, but we (and many others) gave our feedback to GitLab and hope they will come up with a better system in the future. If you have any ideas or concerns about this take a look at our security page or get in touch, we’re happy to discuss it in detail.
If you’re running your own GitLab instance
We have been supporting GitLab on-premises deployments for a few months now with Depfu Enterprise and it’s used by several customers very successfully. With Depfu Enterprise you’re running your own instance of Depfu in your data center or cloud, which connects exclusively to your self-managed GitLab instance. Your source-code never leaves your premises and you can still benefit from using Depfu fully.
If you’re not interested in running Depfu yourself, but still want to use it with your self-managed GitLab instance, please get in touch, we might add support for that soon.
Free for open source and personal repos
Like with Github, Depfu is free for all your open source repos and private repos in your personal account. Which is a great way to get started and try out Depfu.