{"id":51444891,"url":"https://github.com/andoniaf/dependabot-devbox","last_synced_at":"2026-07-05T15:01:27.702Z","repository":{"id":368206038,"uuid":"1283920598","full_name":"andoniaf/dependabot-devbox","owner":"andoniaf","description":"Dependabot support for Devbox (devbox.json) package version updates","archived":false,"fork":false,"pushed_at":"2026-06-29T14:26:24.000Z","size":34,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-29T14:31:09.578Z","etag":null,"topics":["dependabot","devbox","github-actions","nixpkgs"],"latest_commit_sha":null,"homepage":"https://github.com/andoniaf/dependabot-devbox","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andoniaf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-29T11:04:25.000Z","updated_at":"2026-06-29T14:29:27.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/andoniaf/dependabot-devbox","commit_stats":null,"previous_names":["andoniaf/dependabot-devbox"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/andoniaf/dependabot-devbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andoniaf%2Fdependabot-devbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andoniaf%2Fdependabot-devbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andoniaf%2Fdependabot-devbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andoniaf%2Fdependabot-devbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andoniaf","download_url":"https://codeload.github.com/andoniaf/dependabot-devbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andoniaf%2Fdependabot-devbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35158308,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependabot","devbox","github-actions","nixpkgs"],"created_at":"2026-07-05T15:01:26.263Z","updated_at":"2026-07-05T15:01:27.659Z","avatar_url":"https://github.com/andoniaf.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dependabot-devbox\n\nAutomatically update [Devbox](https://www.jetify.com/devbox) package versions and open PRs — just like Dependabot, but for `devbox.json`.\n\nThis is a standalone implementation of devbox ecosystem support built on top of `dependabot-common`. It exists while [official support is pending](https://github.com/dependabot/dependabot-core/pull/15440) in upstream dependabot-core. When that PR merges, you can switch to the native Dependabot experience.\n\n## Quickstart\n\nAdd a workflow to your repo:\n\n```yaml\n# .github/workflows/devbox-updates.yml\nname: Devbox dependency updates\n\non:\n  schedule:\n    - cron: \"0 8 * * 1\"  # every Monday at 08:00 UTC\n  workflow_dispatch:\n\njobs:\n  update:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: andoniaf/dependabot-devbox@v0\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\nThat's it. On each run it will:\n1. Parse your `devbox.json`\n2. Check Nixhub for newer versions of each package\n3. Open a separate PR for every package that can be updated\n\n## Inputs\n\n| Input | Required | Default | Description |\n|---|---|---|---|\n| `github-token` | yes | — | Token used to open PRs (`secrets.GITHUB_TOKEN` works) |\n| `directory` | no | `/` | Path to the directory containing `devbox.json` |\n| `base-branch` | no | repo default | Branch to open PRs against |\n| `gem-version` | no | latest | Pin a specific `dependabot-devbox` gem version |\n\n## Multiple directories\n\nRun the action once per directory:\n\n```yaml\nstrategy:\n  matrix:\n    directory: [\"/\", \"/services/api\", \"/services/worker\"]\nsteps:\n  - uses: actions/checkout@v4\n  - uses: andoniaf/dependabot-devbox@v0\n    with:\n      github-token: ${{ secrets.GITHUB_TOKEN }}\n      directory: ${{ matrix.directory }}\n```\n\n## Using the gem directly\n\n```ruby\ngem \"dependabot-devbox\"\n```\n\n```ruby\nrequire \"dependabot/devbox\"\n\n# The gem registers all the standard Dependabot classes:\n# Dependabot::FileFetchers.for_package_manager(\"devbox\")\n# Dependabot::FileParsers.for_package_manager(\"devbox\")\n# Dependabot::UpdateCheckers.for_package_manager(\"devbox\")\n# Dependabot::FileUpdaters.for_package_manager(\"devbox\")\n```\n\nOr run the bundled script directly:\n\n```sh\nGITHUB_REPOSITORY=owner/repo \\\nGITHUB_ACCESS_TOKEN=ghp_... \\\ndependabot-devbox-update\n```\n\n## How it works\n\n- **FileFetcher** — fetches `devbox.json` (and `devbox.lock` if present) from GitHub\n- **FileParser** — parses `name@constraint` package entries (supports JSONC with comments/trailing commas)\n- **UpdateChecker** — queries [Nixhub](https://search.devbox.sh) for available versions, respects constraint precision (`3.10` → minor-pinned, `3.10.15` → exact-pinned, `latest` → lockfile-only)\n- **FileUpdater** — rewrites the manifest and regenerates the lockfile via `devbox update --no-install`\n\n## Relationship to upstream\n\nThis gem tracks `dependabot-common ~\u003e 0.383`. When dependabot-core cuts a new release, a patch version of this gem will update the pin. The implementation is kept in sync with the upstream PR.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandoniaf%2Fdependabot-devbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandoniaf%2Fdependabot-devbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandoniaf%2Fdependabot-devbox/lists"}