Aviationexam.DependencyUpdater

A command-line tool for automating dependency updates in projects using Git repositories and NuGet feeds. Supports multiple repository platforms including Azure DevOps and GitHub.

For GitHub users: Use the GitHub Action for the easiest setup experience.

Features

• Updates dependencies in a local Git repository based on Dependabot configuration files
• Supports multiple repository platforms (Azure DevOps, GitHub)
• Supports Azure DevOps Git and NuGet artifact feeds with upstream ingestion
• Handles authentication for private repositories and feeds
• Platform-agnostic package management for NuGet
• Available as a GitHub Action for seamless CI/CD integration

Installation

GitHub Action (Recommended)

The easiest way to use this tool in GitHub repositories is via the GitHub Action:

1. Create a configuration file at .github/updater.yml or .github/dependabot.yml
2. Create a workflow file at .github/workflows/dependency-updates.yml:

name: Dependency Updates

on:
  schedule:
    - cron: '0 8 * * 1'  # Every Monday at 8am UTC
  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  update-dependencies:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aviationexam/Aviationexam.DependencyUpdater@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

See the GitHub Action documentation for detailed configuration options and examples.

.NET Global Tool

This project is also distributed as a .NET tool. To install it globally, run:

dotnet tool install --global Aviationexam.DependencyUpdater

Or to update to the latest version:

dotnet tool update --global Aviationexam.DependencyUpdater

Nightly builds

You can install the latest nightly build from the Feedz.io feed:

dotnet tool install --global Aviationexam.DependencyUpdater --prerelease --add-source https://f.feedz.io/aviationexam/dependency-updater/nuget/index.json

Usage

Azure DevOps

Run the tool from your terminal using the AzureDevOps subcommand:

dotnet dependency-updater  \
  --directory "/path/to/repo" \
  --git-username "<git-username>" \
  --git-password "<git-password-or-token>" \
  AzureDevOps \
  --organization "<azure-devops-org>" \
  --project <project-id> \
  --repository <repository-id> \
  --pat "<azure-devops-pat>" \
  --account-id <account-id> \
  --nuget-project <nuget-project-id> \
  --nuget-feed-id <nuget-feed-id> \
  --nuget-service-host '<service-host>' \
  --access-token-resource-id 499b84ac-1321-427f-aa17-267ca6975798 \
  --az-side-car-address '<az-side-car-url>' \
  --az-side-car-token '<az-side-car-token>' \
  --reset-cache

GitHub

Run the tool from your terminal using the GitHub subcommand:

dotnet dependency-updater \
  --directory "/path/to/repo" \
  --git-username "<git-username>" \
  --git-password "<git-password-or-token>" \
  GitHub \
  --owner "<owner>" \
  --repository "<repo>" \
  --token "<github-token>"

Required GitHub PAT Scopes:

• repo - Full control of private repositories

Arguments

Common Arguments

Available for all platform subcommands:

Argument	Required	Default	Description
--directory	Y	cwd	Path to the local Git repository
--git-username	N	''	Username for remote Git authentication
--git-password	Y		Password or personal access token for remote Git authentication
--reset-cache	N	false	Clears the internal dependency cache before processing updates

Advanced Configuration

MSBuild Properties

The following MSBuild properties are automatically set during dependency update operations and can be used in project files to customize restore behavior:

Property	Description
DependencyUpdaterMinimalRestore	Set to true by NugetCli.Restore() to skip non-essential external resource downloads during restore (e.g., schema files)

Projects can check this property in their build targets to optimize restore performance during dependency updates.

Azure DevOps Arguments

Required when using the AzureDevOps subcommand:

Argument	Required	Description
--organization	Y	Azure DevOps organization name
--project	Y	Azure DevOps project containing the target repository
--repository	Y	Name of the Azure DevOps Git repository
--pat	Y	Azure DevOps personal access token
--account-id	Y	Azure DevOps user or service account ID
--nuget-project	Y	Azure DevOps project containing the NuGet artifacts feed
--nuget-feed-id	Y	ID of the Azure Artifacts NuGet feed
--nuget-service-host	Y	Internal Azure DevOps service host identifier
--access-token-resource-id	Y	Azure AD resource ID for upstream ingestion (always: 499b84ac-1321-427f-aa17-267ca6975798)
--az-side-car-address	N	URL for AZ sidecar service (optional)
--az-side-car-token	N	Token for AZ sidecar service (optional)

GitHub Arguments

Required when using the GitHub subcommand:

Argument	Required	Default	Description
--owner	Y		GitHub repository owner (organization or user account name)
--repository	Y		GitHub repository name
--token	Y		GitHub personal access token (requires repo scope)
--authentication-proxy-address	N		Optional HTTP(S) proxy for PR creation to enable CI triggers (see below)

GitHub Token and CI Triggers

When using the GitHub Action, an authentication proxy is used by default to ensure CI workflows trigger on PRs created by the Dependency Updater. This works around a known GitHub limitation where workflows don't trigger on PRs created by GITHUB_TOKEN.

The proxy creates PRs using a GitHub App identity, which triggers CI workflows while still validating the caller has write access to the repository.

Required: Install the Automated Dependency Updater GitHub App on your repository for the proxy to work.

To opt-out of the proxy (CI workflows won't trigger with GITHUB_TOKEN):

- uses: aviationexam/Aviationexam.DependencyUpdater@v1
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    authentication-proxy-address: ''  # Disable proxy

Alternative: Use a Personal Access Token (PAT) to trigger CI without the proxy:

- uses: aviationexam/Aviationexam.DependencyUpdater@v1
  with:
    github-token: ${{ secrets.CUSTOM_PAT }}
    authentication-proxy-address: ''  # Not needed with PAT