DEV Community

Richard Spindler
Richard Spindler

Posted on

How to keep a Dockerfile updated with Dependabot

Dependabot used to be a separate service that scanned your github repository for outdated dependencies in 3rd party packages and libraries.

This service was acquired by Github and is now integrated into the platform.

It is a free service, and a great way to keep your projects dependencies up to date.

Dependabot will automatically create a pull request to your project to bump any outdated dependencies to the latest version.

As an example project I am using a simple "Hello World" style PHP script that runs in the standard PHP Docker image. And Dependabot will bring the outdated PHP version up to date with.

To verify that the application is compatible with the updated version of PHP a Github actions workflow will run the code with the Dockerfile.

So here is what you will learn:

  1. Create a Dockerfile and hello.php as the application
  2. Create a Github Actions workflow to run the above code in Docker
  3. Enable Dependabot for Docker


This is the simplest Dockerfile for running a PHP script. The current stable version of PHP is 8.0.7 but I am using a slightly outdated version number. I want to see Dependabot taking action on this outdated version.

FROM php:8.0.0
Enter fullscreen mode Exit fullscreen mode

Note: Rather than using a specific version I could use the Docker tag latest to always have the latest version. But this is considered a bad practice.

Before upgrading to the latest version of a dependency, you must run your applications tests.

Without a specific version in the Dockerfile you cannot run an automated test suite before the upgrade.


This Hello World will not actually print the string "Hello World", but instead the current PHP version number. Therefore the logs of the actions workflow show if the PHP version has been updated correctly and that the correct Dockerfile was used.

echo phpversion();
Enter fullscreen mode Exit fullscreen mode


This is a very basic actions workflow that runs on the main branch and also on any pull requests that are made for the main branch.

Github recently updated the default branch name from master to using main. So if you have an older repository, you must change this example to work with the old convention.

name: PHP CI
    branches: [ main ]
    branches: [ main ]
    runs-on: ubuntu-latest
    - uses: actions/checkout@v2
    - name: Build docker images
      run: docker build -t local - < Dockerfile
    - name: Run tests
      run: docker run -t -v $PWD:/srv -w/srv local php hello.php
Enter fullscreen mode Exit fullscreen mode

This builds the Dockerfile and runs the code in hello.php inside that image.


To enable Dependabot you must go to "Insights" on your repository main page.

The setting for Dependabot is hidden under "Dependency Graph":

Screenshot of Dependabot Settings

You can use the default configuration file that is suggested by Github. Just add "docker" to "package-ecosystem", Dependabot will find your Dockerfile automatically.

For me the dependabot.yml looks like this:

version: 2
  - package-ecosystem: "docker"
    directory: "/"
      interval: "daily"
Enter fullscreen mode Exit fullscreen mode

Waiting for a pull request

Now Dependabot is set up and ready to go. It will check your Dockerfile daily, and creates a pull request to upgrade to the latest stable release of PHP.

And the pull request is verified by the Github actions workflow that I created above.

For me the diff from the commit by the Dependabot looks like this:

Screenshot of commit for Dockerfile upgrade

Learning more

Keeping your dependencies up to date is a best practice for software engineering.

If you like this article: I am writing a book about best practices for legacy code projects:

Leading a Legacy Software Team

Top comments (0)