From 6dc34092e520c45de6aa04c7923033b597300258 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Thu, 19 Dec 2024 22:29:09 +0000 Subject: [PATCH] Dependabot.yml refactoring work (#53053) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Carlin Cherry <61124041+carlincherry@users.noreply.github.com> Co-authored-by: Nish Sinha --- ...ot-to-work-with-limited-internet-access.md | 7 +- .../viewing-and-updating-dependabot-alerts.md | 8 +- .../about-dependabot-security-updates.md | 8 +- ...configuring-dependabot-security-updates.md | 4 +- .../customizing-dependabot-security-prs.md | 174 ++ .../dependabot-security-updates/index.md | 2 +- .../about-dependabot-version-updates.md | 6 +- ...ion-options-for-the-dependabot.yml-file.md | 1410 ----------------- .../configuring-dependabot-version-updates.md | 33 +- .../controlling-dependencies-updated.md | 297 ++++ .../customizing-dependabot-prs.md | 248 +++ .../customizing-dependency-updates.md | 194 --- .../dependabot-version-updates/index.md | 11 +- .../optimizing-pr-creation-version-updates.md | 73 + .../supported-ecosystems-and-repositories.md | 4 +- content/code-security/dependabot/index.md | 2 + .../dependabot/maintain-dependencies/index.md | 17 + ...aging-dependabot-on-self-hosted-runners.md | 7 +- ...-dependabot-access-to-public-registries.md | 59 +- .../dependabot-updates-stopped.md | 60 + .../troubleshooting-dependabot/index.md | 23 + ...ndencies-configured-for-version-updates.md | 13 +- .../troubleshooting-dependabot-errors.md | 20 +- ...leshooting-dependabot-on-github-actions.md | 108 ++ ...he-detection-of-vulnerable-dependencies.md | 7 +- .../viewing-dependabot-job-logs.md | 2 + ...ut-dependabot-on-github-actions-runners.md | 8 +- ...tomating-dependabot-with-github-actions.md | 135 +- ...ss-to-private-registries-for-dependabot.md | 385 ++++- .../dependabot-options-reference.md | 695 ++++++++ ...on-of-private-registries-for-dependabot.md | 76 +- .../working-with-dependabot/index.md | 7 +- ...your-actions-up-to-date-with-dependabot.md | 4 +- ...ng-pull-requests-for-dependency-updates.md | 6 +- ...leshooting-dependabot-on-github-actions.md | 21 - .../dependabot-quickstart-guide.md | 4 +- content/code-security/index.md | 8 +- ...security-settings-for-your-organization.md | 2 +- .../securing-your-organization/index.md | 6 +- .../about-the-dependency-graph.md | 2 +- .../configuring-the-dependency-graph.md | 2 +- .../troubleshooting-the-dependency-graph.md | 4 +- .../style-guide.md | 26 +- ...analysis-settings-for-your-organization.md | 6 +- data/learning-tracks/code-security.yml | 16 +- .../enterprise-server/3-11/0-rc1.yml | 2 +- .../enterprise-server/3-11/0.yml | 2 +- .../enterprise-server/3-12/0-rc1.yml | 3 +- .../enterprise-server/3-12/0.yml | 3 +- .../enterprise-server/3-14/0.yml | 2 +- ...endabot-version-updates-actions-caveats.md | 2 +- .../dependabot/automatic-deactivation-link.md | 1 + .../automatically-pause-dependabot-updates.md | 2 +- .../dependabot/configuration-options.md | 46 +- data/reusables/dependabot/default-labels.md | 6 +- .../dependabot-ignore-dependencies.md | 2 +- .../dependabot-on-actions-self-hosted-link.md | 2 +- ...ot-on-actions-troubleshooting-workflows.md | 4 +- .../dependabot-updates-registries-options.md | 14 +- ...dabot-updates-supported-versioning-tags.md | 2 +- ...bot-version-updates-groups-yaml-example.md | 181 ++- data/reusables/dependabot/initial-updates.md | 4 +- .../dependabot/link-to-yml-config-file.md | 2 +- ...o-security-impact-if-not-default-branch.md | 2 + .../dependabot/private-dependencies-note.md | 2 +- .../dependabot/supported-package-managers.md | 6 +- .../working-with-actions-considerations.md | 1 + 67 files changed, 2462 insertions(+), 2039 deletions(-) create mode 100644 content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md delete mode 100644 content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md create mode 100644 content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md create mode 100644 content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md delete mode 100644 content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md create mode 100644 content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md create mode 100644 content/code-security/dependabot/maintain-dependencies/index.md rename content/code-security/dependabot/{working-with-dependabot => maintain-dependencies}/managing-dependabot-on-self-hosted-runners.md (96%) rename content/code-security/dependabot/{working-with-dependabot => maintain-dependencies}/removing-dependabot-access-to-public-registries.md (83%) create mode 100644 content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md create mode 100644 content/code-security/dependabot/troubleshooting-dependabot/index.md rename content/code-security/dependabot/{dependabot-version-updates => troubleshooting-dependabot}/listing-dependencies-configured-for-version-updates.md (82%) rename content/code-security/dependabot/{working-with-dependabot => troubleshooting-dependabot}/troubleshooting-dependabot-errors.md (92%) create mode 100644 content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md rename content/code-security/dependabot/{working-with-dependabot => troubleshooting-dependabot}/troubleshooting-the-detection-of-vulnerable-dependencies.md (95%) rename content/code-security/dependabot/{working-with-dependabot => troubleshooting-dependabot}/viewing-dependabot-job-logs.md (96%) create mode 100644 content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md delete mode 100644 content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md create mode 100644 data/reusables/dependabot/automatic-deactivation-link.md create mode 100644 data/reusables/dependabot/no-security-impact-if-not-default-branch.md create mode 100644 data/reusables/dependabot/working-with-actions-considerations.md diff --git a/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md b/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md index 371e473f52ea..dbf493149ffe 100644 --- a/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md +++ b/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md @@ -19,7 +19,7 @@ redirect_from: You can use {% data variables.product.prodname_dependabot_updates %} to fix vulnerabilities and keep dependencies updated to the latest version in {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_dependabot_updates %} require {% data variables.product.prodname_actions %} with self-hosted runners set up for {% data variables.product.prodname_dependabot %} to use. {% data variables.product.prodname_dependabot %} alerts and security updates use information from the {% data variables.product.prodname_advisory_database %} accessed using {% data variables.product.prodname_github_connect %}. For more information, see [AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates) and [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). -{% data reusables.dependabot.private-registry-support %} Alternatively, if your instance has limited or no internet access, you can configure {% data variables.product.prodname_dependabot %} to use only private registries as a source for security and version updates. For information on which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries#about-configuring-dependabot-to-only-access-private-registries). +{% data reusables.dependabot.private-registry-support %} Alternatively, if your instance has limited or no internet access, you can configure {% data variables.product.prodname_dependabot %} to use only private registries as a source for security and version updates. For information on which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries#about-configuring-dependabot-to-only-access-private-registries). The instructions below assume that you need to set up {% data variables.product.prodname_dependabot %} runners with the following limitations. * No internet access. @@ -54,7 +54,8 @@ Before configuring {% data variables.product.prodname_dependabot %}, install Doc ## Verifying the configuration of {% data variables.product.prodname_dependabot %} runners -1. For a test repository, configure {% data variables.product.prodname_dependabot %} to access private registries and remove access to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +1. For a test repository, configure {% data variables.product.prodname_dependabot %} to access private registries and remove access to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). + 1. In the **Insights** tab for the repository, click **Dependency graph** to display details of the dependencies. 1. Click **{% data variables.product.prodname_dependabot %}** to display the ecosystems configured for version updates. 1. For ecosystems that you want to test, click **Last checked TIME ago** to display the "Update logs" view. @@ -62,4 +63,4 @@ Before configuring {% data variables.product.prodname_dependabot %}, install Doc When the check for updates is complete, you should check the "Update logs" view to verify that {% data variables.product.prodname_dependabot %} accessed the configured private registries on your instance to check for version updates. -After you have verified that the configuration is correct, ask repository administrators to update their {% data variables.product.prodname_dependabot %} configurations to use private registries only. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +After you have verified that the configuration is correct, ask repository administrators to update their {% data variables.product.prodname_dependabot %} configurations to use private registries only. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md index 9ccc7a247b7a..579756c2e78f 100644 --- a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -82,7 +82,7 @@ The alert details page of alerts on development-scoped packages shows a "Tags" s 1. Click the alert that you would like to view. 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). - ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) + ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory...", is outlined in orange.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) ## Reviewing and fixing alerts @@ -121,7 +121,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert 1. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later. 1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation. - ![Screenshot of the page for a Dependabot alert, with the "Dismiss" dropdown and the option to add a dismissal comment highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-dismissal-comment.png) + ![Screenshot of a {% data variables.product.prodname_dependabot %} alert page, with the "Dismiss" dropdown and the option to add a dismissal comment outlined in orange.](/assets/images/help/repository/dependabot-alerts-dismissal-comment.png) 1. Click **Dismiss alert**. @@ -134,7 +134,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert 1. Optionally, at the top of the list of alerts, select all alerts on the page. ![Screenshot of the header section of the {% data variables.product.prodname_dependabot_alerts %} view. The "Select all" checkbox is highlighted with a dark orange outline.](/assets/images/help/graphs/select-all-alerts.png) 1. Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts. - ![Screenshot of a list of alerts. Below the "Dismiss alerts" button, a dropdown labeled "Select a reason to dismiss" is expanded. The dropdown contains radio buttons for various options.](/assets/images/help/graphs/dismiss-multiple-alerts.png) + ![Screenshot of a list of alerts. Below the "Dismiss alerts" button, a dropdown labeled "Select a reason to dismiss" is expanded.](/assets/images/help/graphs/dismiss-multiple-alerts.png) ## Viewing and updating closed alerts @@ -166,4 +166,4 @@ When a member of your organization {% ifversion not fpt %}or enterprise {% endif ![Screenshot of the audit log showing Dependabot alerts.](/assets/images/help/dependabot/audit-log-ui-dependabot-alert.png) -Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert).{% else %}."{% endif %} +Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert).{% else %}.{% endif %} diff --git a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md index 85bed65e8ce9..2ecbf9d7cf92 100644 --- a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md @@ -43,18 +43,18 @@ If you enable {% data variables.product.prodname_dependabot_security_updates %}, {% data variables.product.prodname_dotcom %} may send {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %} -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included). > [!NOTE] -> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). +> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). {% data reusables.dependabot.pull-request-security-vs-version-updates %} -If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file). +If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). {% data reusables.dependabot.dependabot-updates-prs-and-actions %} @@ -95,7 +95,7 @@ For security updates, {% data variables.product.prodname_dependabot %} will only ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} -{% data reusables.dependabot.automatically-pause-dependabot-updates %} +{% data reusables.dependabot.automatic-deactivation-link %} ## About notifications for {% data variables.product.prodname_dependabot %} security updates diff --git a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md index c927fcdc33c2..955f6ea95b26 100644 --- a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md @@ -113,9 +113,9 @@ Use the `groups` option with the `applies-to: security-updates` key to create se If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`. -For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). -```yaml +```yaml copy # Example configuration file that: # - Has a private registry # - Ignores lodash dependency diff --git a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md new file mode 100644 index 000000000000..480575000840 --- /dev/null +++ b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md @@ -0,0 +1,174 @@ +--- +title: Customizing pull requests for Dependabot security updates +intro: 'Learn how to customize Dependabot pull requests for security updates to align with your project''s security priorities and workflows.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Security updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Customize Dependabot PRs +--- + +## About customizing pull requests for security updates + +You can customize how {% data variables.product.prodname_dependabot %} raises pull requests for security updates, so that they best fit your project's security priorities and processes. For example: +* **Optimize {% data variables.product.prodname_dependabot %} pull requests to prioritize meaningful updates** by grouping multiple updates into a single pull request. +* Applying custom labels to **integrate {% data variables.product.prodname_dependabot %}'s pull requests** into your existing workflows. + +Similar to version updates, customization options for security updates are defined in the `dependabot.yml` file. If you have already customized the `dependabot.yml` for version updates, then many of the configuration options that you have defined could automatically apply to security updates, too. However, there's a couple of important points to note: +* {% data variables.product.prodname_dependabot_security_updates %} are **always triggered by a security advisory**, rather than running according to the `schedule` you have set in the `dependabot.yml` for version updates. +* {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If your configuration sets a value for `target-branch`, then the customization for that package ecosystem will only apply to version updates by default. + +If you haven't yet configured a `dependabot.yml` file for your repository and you want to customize pull requests for security updates, you must first: +* Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). +* Set all the required keys. For more information, see [Required keys](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#required-keys). +* If you want the customization for a package ecosystem to **only apply to security updates** (and exclude version updates), set the `open-pull-requests-limit` key to `0`. + +You can then consider what your needs and priorities are for security updates, and apply a combination of the customization options outlined below. + +{% ifversion dependabot-grouped-security-updates-config %} + +## Prioritizing meaningful updates + +To create a more **targeted review process** that prioritizes meaningful updates, use `groups` to combine security updates for multiple dependencies into a single pull request. + +For detailed guidance, see [Prioritizing meaningful updates](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates). + +{% endif %} + +## Automatically adding reviewers and assignees + +To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests. + +For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees). + +## Labeling pull requests with custom labels + +To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request. + +For detailed guidance, see [Labeling pull requests with custom labels](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#labeling-pull-requests-with-custom-labels). + +## Adding a prefix to commit messages + +To **integrate** with automations that process commit messages or pull requests titles, use `commit-message` to specify the prefix that you want for commit messages and pull request titles. + +For detailed guidance, see [Adding a prefix to commit messages](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#adding-a-prefix-to-commit-messages). + +## Associating pull requests with a milestone + +To **track progress** towards a project goal or release, use `milestone` to associate {% data variables.product.prodname_dependabot %}'s pull requests with a milestone. + +For detailed guidance, see [Associating pull requests with a milestone](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#associating-pull-requests-with-a-milestone). + +## Changing the separator in the pull request branch name + +To ensure your **branch names align** with your team's existing conventions, use `pull-request-branch-name.separator` to specify the separator you want {% data variables.product.prodname_dependabot %} to use for branch names. + +For detailed guidance, see [Changing the separator in the pull request branch name](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#changing-the-separator-in-the-pull-request-branch-name). + +## Example 1: configuration for security updates only + +In this example, the `dependabot.yml` file: +* Uses a private registry for updates to npm dependencies. +* Disables version updates for dependencies, so that any customizations apply to security updates only. +* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds reviewers and assignees.{% ifversion dependabot-grouped-security-updates-config %} +* Groups security updates for golang dependencies into a single pull request.{% endif %} + +```yaml copy +# Example configuration file that: +# - Uses a private registry for npm updates +# - Ignores lodash dependency +# - Disables version-updates +# - Applies custom labels +# - Adds reviewers and assignees +{% ifversion dependabot-grouped-security-updates-config %}# - Group security updates for golang dependencies into a single pull request{%- endif %} + +version: 2 +registries: + # Define a private npm registry with the name `example` + example: + type: npm-registry + url: https://example.com + token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %} +updates: + - package-ecosystem: "npm" + directory: "/src/npm-project" + schedule: + interval: "daily" + # For Lodash, ignore all updates + ignore: + - dependency-name: "lodash" + # Disable version updates for npm dependencies + open-pull-requests-limit: 0 + registries: + # Ask Dependabot to use the private registry for npm + - example + # Raise all npm pull requests for security updates with custom labels + labels: + - "npm dependencies" + - "triage-board" + # Raise all npm pull requests for security updates with reviewers + reviewers: + - "my-org/team-name" + - "octocat" + # Raise all npm pull requests for security updates with assignees + assignees: + - "user-name" + {% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod" + groups: + # Group security updates for golang dependencies + # into a single pull request + golang: + applies-to: security-updates + patterns: + - "golang.org*"{% endif %} +``` + +## Example 2: configuration for version updates and security updates + +In this example, the `dependabot.yml` file: +* Is customized so that {% data variables.product.prodname_dependabot %} adds reviewers and custom labels to both version updates and security updates.{% ifversion dependabot-grouped-security-updates-config %} +* Uses the `groups` customization option to create two groups ("`angular`" and "`production-dependencies`") in order to group multiple updates into single pull requests. +* Specifies that the `groups` customization for `angular` applies to security updates only. +* Specifies that the `groups` customization for `production-dependencies` applies to version updates only.{% endif %} + +```yaml copy +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" +# Raise all npm pull requests for security and version updates with custom labels + labels: + - "npm dependencies" + - "triage-board" + # Raise all npm pull requests for security and version updates with reviewers + reviewers: + - "my-org/team-name" + - "octocat"{% ifversion dependabot-grouped-security-updates-config %} + groups: + angular: + # Group security updates for Angular dependencies into a single pull request + applies-to: security-updates + patterns: + - "@angular*" + production-dependencies: + # Group version updates for dependencies of type "production" into a single pull request + applies-to: version-updates + dependency-type: "production"{%- endif %} +``` + +## Further reading + +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) diff --git a/content/code-security/dependabot/dependabot-security-updates/index.md b/content/code-security/dependabot/dependabot-security-updates/index.md index 93a6f622bd8f..3877a1c866f8 100644 --- a/content/code-security/dependabot/dependabot-security-updates/index.md +++ b/content/code-security/dependabot/dependabot-security-updates/index.md @@ -16,5 +16,5 @@ shortTitle: Dependabot security updates children: - /about-dependabot-security-updates - /configuring-dependabot-security-updates + - /customizing-dependabot-security-prs --- - diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md index a809edb1b1b3..c7d111b1f1d1 100644 --- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md @@ -52,7 +52,7 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly. -{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). +{% data reusables.dependabot.initial-updates %} {% ifversion dependabot-version-updates-groups %}For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. @@ -60,9 +60,7 @@ If you've enabled security updates, you'll sometimes see extra pull requests for ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} -{% data reusables.dependabot.automatically-pause-dependabot-updates %} - -{% data variables.product.prodname_dependabot %} also stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests. +{% data reusables.dependabot.automatic-deactivation-link %} ## About notifications for {% data variables.product.prodname_dependabot %} version updates diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md deleted file mode 100644 index c51b26be00bb..000000000000 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ /dev/null @@ -1,1410 +0,0 @@ ---- -title: Configuration options for the dependabot.yml file -intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.' -permissions: '{% data reusables.permissions.dependabot-yml-configure %}' -allowTitleToDifferFromFilename: true -redirect_from: - - /github/administering-a-repository/configuration-options-for-dependency-updates - - /code-security/supply-chain-security/configuration-options-for-dependency-updates - - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates -versions: - fpt: '*' - ghec: '*' - ghes: '*' -type: reference -topics: - - Dependabot - - Version updates - - Repositories - - Dependencies - - Pull requests -shortTitle: Configure dependabot.yml ---- - -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About the `dependabot.yml` file - -The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). - -You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). - -Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). - -> [!NOTE] -> You cannot configure {% data variables.product.prodname_dependabot_alerts %} using the `dependabot.yml` file. - -The `dependabot.yml` file has two mandatory top-level keys: `version`, and `updates`. You can, optionally, include a top-level `registries` key. The file must start with `version: 2`. - -For a real-world example of `dependabot.yml` file, see [{% data variables.product.prodname_dependabot %}'s own configuration file](https://github.com/dependabot/dependabot-core/blob/main/.github/dependabot.yml). - -## Configuration options for the `dependabot.yml` file - -The top-level `updates` key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. You can use the following options. - -{% data reusables.dependabot.configuration-options %} -{% ifversion dependabot-updates-multidirectory-support %} - -{% data reusables.dependabot.directory-directories-required %} - -{% endif %} -These options fit broadly into the following categories. - -* Essential set up options that you must include in all configurations: [`package-ecosystem`](#package-ecosystem), [`directory`](#directory){% ifversion dependabot-updates-multidirectory-support %} or [`directories`](#directories){% endif %},[`schedule.interval`](#scheduleinterval). -* Options to customize the update schedule: [`schedule.time`](#scheduletime), [`schedule.timezone`](#scheduletimezone), [`schedule.day`](#scheduleday). -* Options to control which dependencies are updated: [`allow`](#allow), {% ifversion dependabot-version-updates-groups %}[`groups`](#groups),{% endif %} [`ignore`](#ignore), [`vendor`](#vendor). -* Options to add metadata to pull requests: [`reviewers`](#reviewers), [`assignees`](#assignees), [`labels`](#labels), [`milestone`](#milestone). -* Options to change the behavior of the pull requests: [`target-branch`](#target-branch), [`versioning-strategy`](#versioning-strategy), [`commit-message`](#commit-message), [`rebase-strategy`](#rebase-strategy), [`pull-request-branch-name.separator`](#pull-request-branch-nameseparator). - -In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option changes the maximum number of pull requests for version updates that {% data variables.product.prodname_dependabot %} can open. - -> [!NOTE] -> Some of these configuration options may also affect pull requests raised for security updates of vulnerable package manifests. -> -> Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options. -> -> In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). - -### `package-ecosystem` - -**Required**. You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. - -If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. - -If you want to allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you can include a `registries` setting in the configuration file. For more information, see [`registries`](#registries) below.{% ifversion ghes %} - -> [!NOTE] -> Enterprise owners can download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action) to get the best ecosystem coverage. {% data reusables.actions.action-bundled-actions %} - -{% endif %} - -{% data reusables.dependabot.supported-package-managers %} - -#### Example of a basic setup for three package managers - -```yaml -# Basic set up for three package managers - -version: 2 -updates: - - # Maintain dependencies for GitHub Actions - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - interval: "weekly" - - # Maintain dependencies for npm - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" -``` - -### `directory` - -**Required**. You must define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). You define the directory relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}. - -{% ifversion dependabot-updates-multidirectory-support %} - -{% data reusables.dependabot.directories-option-overview %} For more information, see [`directories`](#directories). - -{% data reusables.dependabot.directory-directories-required %} - -{% endif %} - -For {% data variables.product.prodname_actions %}, you do not need to set the directory to `/.github/workflows`. Configuring the key to `/` automatically instructs {% data variables.product.prodname_dependabot %} to search the `/.github/workflows` directory, as well as the _action.yml_ / _action.yaml_ file from the root directory. - -```yaml -# Specify location of manifest files for each package manager - -version: 2 -updates: - - package-ecosystem: "composer" - # Files stored in repository root - directory: "/" - schedule: - interval: "weekly" - - - package-ecosystem: "npm" - # Files stored in `app` directory - directory: "/app" - schedule: - interval: "weekly" - - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - interval: "weekly" -``` - -{% ifversion dependabot-updates-multidirectory-support %} - -### `directories` - -**Required**. You must define the locations of the package manifests for each package manager. You define directories relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}. The `directories` option contains a list of strings representing directories. - -{% data reusables.dependabot.directory-directories-required %} - -```yaml -# Specify locations of manifest files for each package manager using `directories` - -version: 2 -updates: - - package-ecosystem: "bundler" - directories: - - "/frontend" - - "/backend" - - "/admin" - schedule: - interval: "weekly" -``` - -{% data reusables.dependabot.directories-option-overview %} - -{% data reusables.dependabot.directory-vs-directories-guidance %} - -```yaml -# Specify locations of manifest files for each package manager using both `directories` and `directory` - -version: 2 -updates: - - package-ecosystem: "bundler" - directories: - - "/frontend" - - "/backend" - - "/admin" - schedule: - interval: "weekly" - - package-ecosystem: "bundler" - directory: "/" - schedule: - interval: "daily" -``` - -> [!NOTE] -> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key. - -```yaml -# Specify the root directory and directories that start with "lib-", using globbing, for locations of manifest files - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "/" - - "/lib-*" - schedule: - interval: "weekly" -``` - -```yaml -# Specify the root directory and directories in the root directory as the location of manifest files using the wildcard character - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "*" - schedule: - interval: "weekly" -``` - -```yaml -# Specify all directories from the current layer and below recursively, using globstar, for locations of manifest files - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "**/*" - schedule: - interval: "weekly" -``` - -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about grouping, see [`groups`](#groups). - -{% endif %} - -### `schedule.interval` - -**Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone). - -> [!NOTE] -> The `schedule.time` option is a best effort, and it may take some time before {% data variables.product.prodname_dependabot %} opens pull requests to update to newer dependency versions. - -| Interval types | Frequency | -|----------------|-----------| -| `daily` | Runs on every weekday, Monday to Friday.| -| `weekly`| Runs once each week. By default, this is on Monday. To modify this, use [`schedule.day`](#scheduleday).| -| `monthly` | Runs once each month. This is on the first day of the month. | - -```yaml -# Set update schedule for each package manager - -version: 2 -updates: - - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - # Check for updates to GitHub Actions every weekday - interval: "daily" - - - package-ecosystem: "composer" - directory: "/" - schedule: - # Check for updates managed by Composer once a week - interval: "weekly" -``` - -> [!NOTE] -> `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). -> -> {% data reusables.dependabot.version-updates-skip-scheduled-runs %} - -### `allow` - -{% data reusables.dependabot.default-dependencies-allow-ignore %} - -Use the `allow` option to customize which dependencies are updated. This applies to both version and security updates. You can use the following options: - -* `dependency-name`: Use to allow updates for dependencies with matching names, optionally using `*` to match zero or more characters. - * For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId`; for example: `org.kohsuke:github-api`. - * For Docker image tags, the format is the full name of the repository; for example, for an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`. - -* `dependency-type`: Use to allow updates for dependencies of specific types. - - | Dependency types | Supported by package managers | Allow updates | - |------------------|-------------------------------|--------| - | `direct` | All | All explicitly defined dependencies. | - | `indirect` | `bundler`, `pip`, `composer`, `cargo`, `gomod` | Dependencies of direct dependencies (also known as sub-dependencies, or transient dependencies).| - | `all` | All | All explicitly defined dependencies. For `bundler`, `pip`, `composer`, `cargo`, `gomod`, also the dependencies of direct dependencies.| - | `production` | `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only dependencies in the "Production dependency group". | - | `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only dependencies in the "Development dependency group". | - -```yaml -# Use `allow` to specify which dependencies to maintain - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow updates for Lodash - - dependency-name: "lodash" - # Allow updates for React and any packages starting "react" - - dependency-name: "react*" - - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow both direct and indirect updates for all packages - - dependency-type: "all" - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow only direct updates for - # Django and any packages starting "django" - - dependency-name: "django*" - dependency-type: "direct" - # Allow only production updates for Sphinx - - dependency-name: "sphinx" - dependency-type: "production" -``` - -### `assignees` - -Use `assignees` to specify individual assignees for all pull requests raised for a package manager. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify assignees for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Add assignees - assignees: - - "octocat" -``` - -### `commit-message` - -By default, {% data variables.product.prodname_dependabot %} attempts to detect your commit message preferences and use similar patterns. Use the `commit-message` option to specify your preferences explicitly. This setting also impacts the titles of pull requests. - -We populate the titles of pull requests based on the commit messages, whether explicitly set or auto-detected from the repository history. - -Supported options - -> [!NOTE] -> The `prefix` and the `prefix-development` options have a 50-character limit. - -* `prefix` specifies a prefix for all commit messages and it will also be added to the start of the PR title. - When you specify a prefix for commit messages, {% data variables.product.prodname_dotcom %} will automatically add a colon between the defined prefix and the commit message provided the defined prefix ends with a letter, number, closing parenthesis, or closing bracket. This means that, for example, if you end the prefix with a whitespace, there will be no colon added between the prefix and the commit message. - The code snippet below provides examples of both in the same configuration file. - -* `prefix-development` specifies a separate prefix for all commit messages that update dependencies in the Development dependency group. When you specify a value for this option, the `prefix` is used only for updates to dependencies in the Production dependency group. This is supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. -* `include: "scope"` specifies that any prefix is followed by the type of the dependencies (`deps` or `deps-dev`) updated in the commit. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Customize commit messages - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - commit-message: - # Prefix all commit messages with "npm: " - prefix: "npm" - - - package-ecosystem: "docker" - directory: "/" - schedule: - interval: "weekly" - commit-message: - # Prefix all commit messages with "[docker] " (no colon, but a trailing whitespace) - prefix: "[docker] " - - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - # Prefix all commit messages with "Composer" plus its scope, that is, a - # list of updated dependencies - commit-message: - prefix: "Composer" - include: "scope" - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Include a list of updated dependencies - # with a prefix determined by the dependency group - commit-message: - prefix: "pip prod" - prefix-development: "pip dev" -``` - -If you use the same configuration as in the example above, bumping the `requests` library in the `pip` development dependency group will generate a commit message of: - - `pip dev: bump requests from 1.0.0 to 1.0.1` - -{% ifversion dependabot-version-updates-groups %} - -### `groups` - -{% ifversion dependabot-grouped-security-updates-config %}{% data reusables.dependabot.dependabot-security-updates-groups-supported %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} - -{% data reusables.dependabot.dependabot-version-updates-groups-about %} - -{% data reusables.dependabot.dependabot-version-updates-groups-semver %} - -{% data reusables.dependabot.dependabot-version-updates-supported-options-for-groups %} - -{% ifversion dependabot-grouped-security-updates-config %} -The `applies-to` key is used to specify whether a set of grouping rules is intended for version updates or security updates. Using the `applies-to` key is optional. If the `applies-to` key is absent from a set of grouping rules, it defaults to `version-updates` for backwards compatibility. You cannot apply a single grouping set of rules to both version updates and security updates. Instead, if you want to group both version updates and security updates using the same criteria, you must define two, separately named, grouping sets of rules. To do this, you can copy the group configuration block for the ecosystem and directory, and name each set of rules differently. -{% endif %} - -{% data reusables.dependabot.dependabot-version-updates-groups-match-first %} - -If a dependency doesn't belong to any group, {% data variables.product.prodname_dependabot %} will continue to raise single pull requests to update the dependency to its latest version as normal. {% data variables.product.prodname_dotcom %} reports in the logs if a group is empty. For more information, see [{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-fails-to-group-a-set-of-dependencies-into-a-single-pull-request). - -When a scheduled update runs, {% data variables.product.prodname_dependabot %} will refresh pull requests for grouped updates using the following rules: -* If all the same dependencies need to be updated to the same versions, {% data variables.product.prodname_dependabot %} will rebase the branch. -* If all the same dependencies need to be updated, but a newer version has become available for one (or more) of the dependencies, {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. -* If the dependencies to be updated have changed - for example, if another dependency in the group now has an update available - {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. - -You can also manage pull requests for grouped version updates and security updates using comment commands, which are short comments you can make on a pull request to give instructions to {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands). - -{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} - -{% ifversion dependabot-grouped-security-updates-config %} - -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about multidirectory support, see [`directories`](#directories). - -{% endif %} - -{% endif %} - -### `ignore` - -{% data reusables.dependabot.default-dependencies-allow-ignore %} - -Dependencies can be ignored either by adding them to `ignore` or by using the `@dependabot ignore` command on a pull request opened by {% data variables.product.prodname_dependabot %}. - -> [!WARNING] -> * We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). -> * For {% data variables.product.prodname_actions %} and Docker, you may use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. - -#### Creating `ignore` conditions from `@dependabot ignore` - -Dependencies ignored by using the `@dependabot ignore` command are stored centrally for each package manager. If you start ignoring dependencies in the `dependabot.yml` file, these existing preferences are considered alongside the `ignore` dependencies in the configuration. - -You can check whether a repository has stored `ignore` preferences by searching the repository for `"@dependabot ignore" in:comments`, or by using the `@dependabot show DEPENDENCY_NAME ignore conditions` comment command. If you wish to unblock updates for a dependency ignored this way, re-open the pull request. This clears the `ignore` conditions that were set when the pull request was closed and resumes those {% data variables.product.prodname_dependabot %} updates for the dependency. To update the dependency to a newer version, merge the pull request. {% ifversion dependabot-version-updates-groups %}In pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use the `@dependabot unignore` commands to clear `ignore` settings for dependencies.{% endif %} - -For more information about the `@dependabot ignore` commands, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). - -#### Specifying dependencies and versions to ignore - -You can use the `ignore` option to customize which dependencies are updated. The `ignore` option supports the following options. - -| Option | Description | -|--------|-------------| -|dependency-name | Use to ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters.
For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId` (for example: `org.kohsuke:github-api`).
To prevent {% data variables.product.prodname_dependabot %} from automatically updating TypeScript type definitions from DefinitelyTyped, use `@types/*`. | -| `versions` | Use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager.
For example, for npm, use `^1.0.0`; for Bundler, use `~> 2.0`; for Docker, use Ruby version syntax; for NuGet, use `7.*`. | -| update-types | Use to ignore types of updates, such as semver `major`, `minor`, or `patch` updates on version updates (for example: `version-update:semver-patch` will ignore patch updates). You can combine this with `dependency-name: "*"` to ignore particular `update-types` for all dependencies.
Currently, `version-update:semver-major`, `version-update:semver-minor`, and `version-update:semver-patch` are the only supported options. | - -When used alone, the `ignore.versions` key affects both {% data variables.product.prodname_dependabot %} updates, but the `ignore.update-types` key affects only {% data variables.product.prodname_dependabot_version_updates %}. - -However, if `versions` and `update-types` are used together in the same `ignore` rule, both {% data variables.product.prodname_dependabot %} updates are affected, unless the configuration uses `target-branch` to check for version updates on a non-default branch. - -```yaml -# Use `ignore` to specify dependencies that should not be updated - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - ignore: - - dependency-name: "express" - # For Express, ignore all Dependabot updates for version 4 and 5 - versions: ["4.x", "5.x"] - # For Lodash, ignore all updates - - dependency-name: "lodash" - # For AWS SDK, ignore all patch updates for version updates only - - dependency-name: "aws-sdk" - update-types: ["version-update:semver-patch"] - - package-ecosystem: 'github-actions' - directory: '/' - schedule: - interval: 'weekly' - ignore: - - dependency-name: 'actions/checkout' - # For GitHub Actions, ignore all updates greater than or equal to version 3 - versions: '>= 3' -``` - -> [!NOTE] -> {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files). - -> [!NOTE] -> For the `pub` ecosystem, {% data variables.product.prodname_dependabot %} won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available. - -The following examples show how `ignore` can be used to customize which dependencies are updated. - -##### Ignore updates beyond a specific version - - ```yaml - ignore: - - dependency-name: "lodash:*" - versions: [ ">=1.0.0" ] - ``` - -##### Ignore updates beyond a specific version - - ```yaml - ignore: - - dependency-name: "sphinx" - versions: [ "[1.1,)" ] - ``` - -##### Ignore patch updates - - ```yaml - ignore: - - dependency-name: "@types/node" - update-types: ["version-update:semver-patch"] - ``` - -##### Ignore updates for a specific version - - ```yaml - ignore: - - dependency-name: "django*" - versions: [ "11" ] - ``` - -### `insecure-external-code-execution` - -Package managers with the `package-ecosystem` values `bundler`, `mix`, and `pip` may execute external code in the manifest as part of the version update process. This might allow a compromised package to steal credentials or gain access to configured registries. When you add a [`registries`](#registries) setting within an `updates` configuration, {% data variables.product.prodname_dependabot %} automatically prevents external code execution, in which case the version update may fail. You can choose to override this behavior and allow external code execution for `bundler`, `mix`, and `pip` package managers by setting `insecure-external-code-execution` to `allow`. - -{% raw %} - -```yaml -# Allow external code execution when updating dependencies from private registries - -version: 2 -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} -updates: - - package-ecosystem: "bundler" - directory: "/rubygems-server" - insecure-external-code-execution: allow - registries: "*" - schedule: - interval: "monthly" -``` - -{% endraw %} - -If you define a `registries` setting to allow {% data variables.product.prodname_dependabot %} to access a private package registry, and you set `insecure-external-code-execution` to `allow` in the same `updates` configuration, external code execution that occurs will only have access to the package managers in the registries associated with that `updates`setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. - -In this example, the configuration file allows {% data variables.product.prodname_dependabot %} to access the `ruby-github` private package registry. In the same `updates`setting, `insecure-external-code-execution`is set to `allow`, which means that the code executed by dependencies will only access the `ruby-github` registry, and not the `dockerhub` registry. - -{% raw %} - -```yaml -# Using `registries` in conjunction with `insecure-external-code-execution:allow` -# in the same `updates` setting - -version: 2 -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - dockerhub: - type: docker-registry - url: registry.hub.docker.com - username: octocat - password: ${{secrets.DOCKERHUB_PASSWORD}} -updates: - - package-ecosystem: "bundler" - directory: "/rubygems-server" - insecure-external-code-execution: allow - registries: - - ruby-github # only access to registries associated with this ecosystem/directory - schedule: - interval: "monthly" -``` - -{% endraw %} - -You can explicitly deny external code execution, regardless of whether there is a `registries` setting for this update configuration, by setting `insecure-external-code-execution` to `deny`. - -### `labels` - -{% data reusables.dependabot.default-labels %} - -Use `labels` to override the default labels and specify alternative labels for all pull requests raised for a package manager. If any of these labels is not defined in the repository, it is ignored. -To disable all labels, including the default labels, use `labels: [ ]`. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify labels for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Specify labels for npm pull requests - labels: - - "npm" - - "dependencies" -``` - -### `milestone` - -Use `milestone` to associate all pull requests raised for a package manager with a milestone. You need to specify the numeric identifier of the milestone and not its label. If you view a milestone, the final part of the page URL, after `milestone`, is the identifier. For example: `https://github.com///milestone/3`. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify a milestone for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Associate pull requests with milestone "4" - milestone: 4 -``` - -### `open-pull-requests-limit` - -By default, {% data variables.product.prodname_dependabot %} opens a maximum of five pull requests for version updates. Once there are five open pull requests from {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_dependabot %} will not open any new requests until some of those open requests are merged or closed. Use `open-pull-requests-limit` to change this limit. This also provides a simple way to temporarily disable version updates for a package manager. - -This option has no impact on security updates, which have a separate, internal limit of ten open pull requests. - -```yaml -# Specify the number of open pull requests allowed - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Disable version updates for npm dependencies - open-pull-requests-limit: 0 - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Allow up to 10 open pull requests for pip dependencies - open-pull-requests-limit: 10 -``` - -### `pull-request-branch-name.separator` - -{% data variables.product.prodname_dependabot %} generates a branch for each pull request. Each branch name includes `dependabot`, and the package manager and dependency that are updated. By default, these parts are separated by a `/` symbol, for example: `dependabot/npm_and_yarn/next_js/acorn-6.4.1`. - -Use `pull-request-branch-name.separator` to specify a different separator. This can be one of: `"-"`, `_` or `/`. The hyphen symbol must be quoted because otherwise it's interpreted as starting an empty YAML list. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify a different separator for branch names - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - pull-request-branch-name: - # Separate sections of the branch name with a hyphen - # for example, `dependabot-npm_and_yarn-next_js-acorn-6.4.1` - separator: "-" -``` - -### `rebase-strategy` - -By default, {% data variables.product.prodname_dependabot %} automatically rebases open pull requests when it detects any changes to the pull request. Use `rebase-strategy` to disable this behavior. - -> [!NOTE] -> {% data reusables.dependabot.pull-requests-30-days-cutoff %} - -Available rebase strategies - -* `auto` to use the default behavior and rebase open pull requests when changes are detected. -* `disabled` to disable automatic rebasing. - -When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_dependabot %} attempts to rebase pull requests in the following cases. -* When you use {% data variables.product.prodname_dependabot_version_updates %}, for any open {% data variables.product.prodname_dependabot %} pull request when your schedule runs. -* When you reopen a closed {% data variables.product.prodname_dependabot %} pull request. -* When you change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file. For more information about this field, see [`target-branch`](#target-branch). -* When {% data variables.product.prodname_dependabot %} detects that a {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. - -When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. - -> [!NOTE] -> This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing (until 30 days after opening) pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Disable automatic rebasing - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Disable rebasing for npm pull requests - rebase-strategy: "disabled" -``` - -### `registries` - -To allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you must include a `registries` setting within the relevant `updates` configuration. - -{% data reusables.dependabot.dependabot-updates-registries %} - -For more information, see [Configuration options for private registries](#configuration-options-for-private-registries) below. - -{% data reusables.dependabot.advanced-private-registry-config-link %} - -To allow {% data variables.product.prodname_dependabot %} to use `bundler`, `mix`, and `pip` package managers to update dependencies in private registries, you can choose to allow external code execution. For more information, see [`insecure-external-code-execution`](#insecure-external-code-execution) above. - -```yaml -# Allow {% data variables.product.prodname_dependabot %} to use one of the two defined private registries -# when updating dependency versions for this ecosystem - -{% raw %} -version: 2 -registries: - maven-github: - type: maven-repository - url: https://maven.pkg.github.com/octocat - username: octocat - password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} - npm-npmjs: - type: npm-registry - url: https://registry.npmjs.org - username: octocat - password: ${{secrets.MY_NPM_PASSWORD}} -updates: - - package-ecosystem: "gitsubmodule" - directory: "/" - registries: - - maven-github - schedule: - interval: "monthly" -{% endraw %} -``` - -### `reviewers` - -Use `reviewers` to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager. You must use the full team name, including the organization, as if you were @mentioning the team. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify reviewers for pull requests - -version: 2 -updates: - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Add reviewers - reviewers: - - "octocat" - - "my-username" - - "my-org/python-team" -``` - -### `schedule.day` - -When you set a `weekly` update schedule, by default, {% data variables.product.prodname_dependabot %} checks for new versions on Monday at a random set time for the repository. Use `schedule.day` to specify an alternative day to check for updates. - -Supported values - -* `monday` -* `tuesday` -* `wednesday` -* `thursday` -* `friday` -* `saturday` -* `sunday` - -```yaml -# Specify the day for weekly checks - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates on Sundays - day: "sunday" -``` - -### `schedule.time` - -By default, {% data variables.product.prodname_dependabot %} checks for new versions at a random set time for the repository. Use `schedule.time` to specify an alternative time of day to check for updates (format: `hh:mm`). - -```yaml -# Set a time for checks -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates at 9am UTC - time: "09:00" -``` - -### `schedule.timezone` - -By default, {% data variables.product.prodname_dependabot %} checks for new versions at a random set time for the repository. Use `schedule.timezone` to specify an alternative time zone. The time zone identifier must be from the Time Zone database maintained by [iana](https://www.iana.org/time-zones). For more information, see [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). - -```yaml -# Specify the timezone for checks - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - time: "09:00" - # Use Japan Standard Time (UTC +09:00) - timezone: "Asia/Tokyo" -``` - -### `target-branch` - -By default, {% data variables.product.prodname_dependabot %} checks for manifest files on the default branch and raises pull requests for version updates against this branch. Use `target-branch` to specify a different branch for manifest files and for pull requests. When you use this option, the settings for this package manager will no longer affect any pull requests raised for security updates. - -```yaml -# Specify a non-default branch for pull requests for pip - -version: 2 -updates: - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Raise pull requests for version updates - # to pip against the `develop` branch - target-branch: "develop" - # Labels on pull requests for version updates only - labels: - - "pip dependencies" - - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates on Sundays - day: "sunday" - # Labels on pull requests for security and version updates - labels: - - "npm dependencies" -``` - -### `vendor` - -Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them. Don't use this option if you're using `gomod` as {% data variables.product.prodname_dependabot %} automatically detects vendoring for this tool. - -```yaml -# Configure version updates for both dependencies defined in manifests and vendored dependencies - -version: 2 -updates: - - package-ecosystem: "bundler" - # Raise pull requests to update vendored dependencies that are checked in to the repository - vendor: true - directory: "/" - schedule: - interval: "weekly" -``` - -{% data variables.product.prodname_dependabot %} only updates the vendored dependencies located in specific directories in a repository. - -| Package manager | Required file path for vendored dependencies | More information | - |------------------|-------------------------------|--------| - | `bundler` | The dependencies must be in the _vendor/cache_ directory.
Other file paths are not supported. | [`bundle cache` documentation](https://bundler.io/man/bundle-cache.1.html) | - | `gomod` | No path requirement (dependencies are usually located in the _vendor_ directory) | [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor) | - -### `versioning-strategy` - -When {% data variables.product.prodname_dependabot %} edits a manifest file to update a version, there are several different potential versioning strategies: - -| Option | Action | -|--------|--------| -| `auto` | Try to differentiate between apps and libraries. Use `increase` for apps and `widen` for libraries.| -| `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | -| `increase-if-necessary` | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint. | -| `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | -| `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. | -| N/A | Some package managers do not yet support configuring the `versioning-strategy` parameter. | - -The following table shows an example of how `versioning-strategy` can be used. - -| Current constraint | Current version | New version | Strategy | New constraint | -|--------------------|-----------------|-------------|----------|----------------| -| ^1.0.0 | 1.0.0 | 1.2.0 | `widen` | ^1.0.0 | -| ^1.0.0 | 1.0.0 | 1.2.0 | `increase` | ^1.2.0 | -| ^1.0.0 | 1.0.0 | 1.2.0 | `increase-if-necessary` | ^1.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `widen` | >=1.0.0 <3.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `increase` | ^2.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `increase-if-necessary` | ^2.0.0 | - -Use the `versioning-strategy` option to change this behavior for supported package managers. - -{% data reusables.dependabot.option-affects-security-updates %} - -Available update strategies: - -| Ecosystem | Supported versioning strategies | Default strategy | -|-----------|---------------------------------|------------------| -| `bundler` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only` | `auto` | -| `cargo` | `auto`, `lockfile-only` | `auto` | -| `composer` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only`, `widen` | `auto` | -| `docker` | N/A | N/A | -| `github-actions` | N/A | N/A | -| `gitsubmodule` | N/A | N/A | -| `gomod` | N/A | N/A | -| `gradle` | N/A | N/A | -| `maven` | N/A | N/A | -| `mix` | `auto`, `lockfile-only` | `auto` | -| `npm` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only`, `widen` | `auto` | -| `nuget` | N/A | N/A | -| `pip` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only` | `auto` | -| `pub` | `auto`, `increase`, `increase-if-necessary`, `widen` | `auto` | -| `terraform` | N/A | N/A | - -> [!NOTE] -> `N/A` indicates that the package manager does not yet support configuring the `versioning-strategy` parameter. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/. - -```yaml -# Example configuration for customizing the manifest version strategy - -version: 2 -updates: - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - # Increase the version requirements for Composer only when required - versioning-strategy: increase-if-necessary -``` - -{% ifversion dependabot-updates-supported-versioning-tags %} - -### Versioning tags - -* Represent stages in the software release lifecycle, such as alpha, beta, and stable versions. -* Allow publishers to distribute their packages more effectively. -* Indicate the stability of a version and communicate what users should expect in terms of features and stability. - -{% data reusables.dependabot.dependabot-updates-supported-versioning-tags %} - -#### Versioning tag glossary - -* **`alpha`:** Early version, may be unstable and have incomplete features. -* **`beta`:** More stable than alpha but may still have bugs. -* **`canary`:** Regularly updated pre-release version for testing. -* **`dev`:** Represents development versions. -* **`experimental`:** Versions with experimental features. -* **`latest`:** The latest stable release. -* **`legacy`:** Older or deprecated versions. -* **`next`:** Upcoming release version. -* **`nightly`:** Versions built nightly; often includes the latest changes. -* **`rc`:** Release candidate, close to stable release. -* **`release`:** The official release version. -* **`stable`:** The most reliable, production-ready version. - -{% endif %} - -## Configuration options for private registries - -The top-level `registries` key is optional. It allows you to specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries. - -You can give {% data variables.product.prodname_dependabot %} access to private package registries hosted by GitLab or Bitbucket by specifying a `type` of `git`. For more information, see [`git`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git). -{% ifversion ghes %} - -> [!NOTE] -> Private registries behind firewalls on private networks are supported for the following ecosystems: -> -> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %} -> * Cargo{% endif %} -> * Docker -> * Gradle -> * Maven -> * Npm -> * NuGet{% ifversion dependabot-updates-pub-private-registry %} -> * Pub{% endif %} -> * Python -> * Yarn - -{% endif %} - -The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file. - -{% raw %} - -```yaml -# Minimal settings to update dependencies in one private registry - -version: 2 -registries: - dockerhub: # Define access for a private registry - type: docker-registry - url: registry.hub.docker.com - username: octocat - password: ${{secrets.DOCKERHUB_PASSWORD}} -updates: - - package-ecosystem: "docker" - directory: "/docker-registry/dockerhub" - registries: - - dockerhub # Allow version updates for dependencies in this registry - schedule: - interval: "monthly" -``` - -{% endraw %} - -{% data reusables.dependabot.dependabot-updates-registries-options %} - -You must provide the required settings for each configuration `type` that you specify. Some types allow more than one way to connect. The following sections provide details of the settings you should use for each `type`. - -{% data reusables.dependabot.advanced-private-registry-config-link %} - -{% ifversion dependabot-updates-cargo-private-registry-support %} - -### `cargo-registry` - -The `cargo-registry` type supports a token. - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% data reusables.dependabot.cargo-private-registry-config-example %} - -{% endif %} - -### `composer-repository` - -The `composer-repository` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - composer: - type: composer-repository - url: https://repo.packagist.com/example-company/ - username: octocat - password: ${{secrets.MY_PACKAGIST_PASSWORD}} -``` - -{% endraw %} - -### `docker-registry` - -{% data variables.product.prodname_dependabot %} works with any container registries that implement the OCI container registry spec. For more information, see [https://github.com/opencontainers/distribution-spec/blob/main/spec.md](https://github.com/opencontainers/distribution-spec/blob/main/spec.md). {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia. - -The `docker-registry` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - dockerhub: - type: docker-registry - url: https://registry.hub.docker.com - username: octocat - password: ${{secrets.MY_DOCKERHUB_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -The `docker-registry` type can also be used to pull from private Amazon ECR using static AWS credentials. - -{% raw %} - -```yaml -registries: - ecr-docker: - type: docker-registry - url: https://1234567890.dkr.ecr.us-east-1.amazonaws.com - username: ${{secrets.ECR_AWS_ACCESS_KEY_ID}} - password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}} - replaces-base: true -``` - -{% endraw %} - -### `git` - -The `git` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% raw %} - -```yaml -registries: - github-octocat: - type: git - url: https://github.com - username: x-access-token - password: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} -``` - -{% endraw %} - -### `hex-organization` - -The `hex-organization` type supports organization and key. - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - github-hex-org: - type: hex-organization - organization: github - key: ${{secrets.MY_HEX_ORGANIZATION_KEY}} -``` - -{% endraw %} - -### `hex-repository` - -The `hex-repository` type supports an authentication key. - -`repo` is a required field, which must match the name of the repository used in your dependency declaration. - -The `public-key-fingerprint` is an optional configuration field, representing the fingerprint of the public key for the Hex repository. `public-key-fingerprint` is used by Hex to establish trust with the private repository. The `public-key-fingerprint` field can be either listed in plaintext or stored as a {% data variables.product.prodname_dependabot %} secret. - -{% raw %} - -```yaml -registries: - github-hex-repository: - type: hex-repository - repo: private-repo - url: https://private-repo.example.com - auth-key: ${{secrets.MY_AUTH_KEY}} - public-key-fingerprint: ${{secrets.MY_PUBLIC_KEY_FINGERPRINT}} -``` - -{% endraw %} - -### `maven-repository` - -The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - maven-artifactory: - type: maven-repository - url: https://acme.jfrog.io/artifactory/my-maven-registry - username: octocat - password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} -``` - -{% endraw %} - -### `npm-registry` - -The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. - -> [!NOTE] -> When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path. - -{% raw %} - -```yaml -registries: - npm-npmjs: - type: npm-registry - url: https://registry.npmjs.org - username: octocat - password: ${{secrets.MY_NPM_PASSWORD}} # Must be an unencoded password - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - npm-github: - type: npm-registry - url: https://npm.pkg.github.com - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation. - -### `nuget-feed` - -The `nuget-feed` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% raw %} - -```yaml -registries: - nuget-example: - type: nuget-feed - url: https://nuget.example.com/v3/index.json - username: octocat@example.com - password: ${{secrets.MY_NUGET_PASSWORD}} -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - nuget-azure-devops: - type: nuget-feed - url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json - username: octocat@example.com - password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} -``` - -{% endraw %} - -{% ifversion dependabot-updates-pub-private-registry %} - -### `pub-repository` - -The `pub-repository` type supports a URL and a token. - -{% raw %} - -```yaml -registries: - my-pub-registry: - type: pub-repository - url: https://example-private-pub-repo.dev/optional-path - token: ${{secrets.MY_PUB_TOKEN}} -updates: - - package-ecosystem: "pub" - directory: "/" - schedule: - interval: "weekly" - registries: - - my-pub-registry -``` - -{% endraw %} - -{% endif %} - -### `python-index` - -The `python-index` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - python-example: - type: python-index - url: https://example.com/_packaging/my-feed/pypi/example - username: octocat - password: ${{secrets.MY_BASIC_AUTH_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - python-azure: - type: python-index - url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example - username: octocat@example.com - password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -### `rubygems-server` - -The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - ruby-example: - type: rubygems-server - url: https://rubygems.example.com - username: octocat@example.com - password: ${{secrets.MY_RUBYGEMS_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -### `terraform-registry` - -The `terraform-registry` type supports a token. - -{% raw %} - -```yaml -registries: - terraform-example: - type: terraform-registry - url: https://terraform.example.com - token: ${{secrets.MY_TERRAFORM_API_TOKEN}} -``` - -{% endraw %} - -## Enabling support for {% data variables.release-phases.public_preview %}-level ecosystems - -### `enable-beta-ecosystems` - -By default, {% data variables.product.prodname_dependabot %} updates the dependency manifests and lock files only for fully supported ecosystems. Use the `enable-beta-ecosystems` flag to opt in to updates for ecosystems that are not yet generally available. - - -There are currently no ecosystems in {% data variables.release-phases.public_preview %}. - -```yaml -# Configure {% data variables.release-phases.public_preview %} ecosystem - -version: 2 -enable-beta-ecosystems: true -updates: - - package-ecosystem: "beta-ecosystem" - directory: "/" - schedule: - interval: "weekly" -``` diff --git a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md index 8887c350bb8e..d2b5c20ffd1f 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md @@ -27,11 +27,11 @@ shortTitle: Configure version updates You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). -{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). +{% data reusables.dependabot.initial-updates %} {% ifversion dependabot-version-updates-groups %}For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} {% data reusables.dependabot.version-updates-skip-scheduled-runs %} -By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow). +By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). @@ -61,24 +61,23 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c ``` 1. Add a `version`. This key is mandatory. The file must start with `version: 2`. -1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) in "Configuration options for the `dependabot.yml` file." -1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. +1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). +1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [About the dependabot.yml file](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#about-the-dependabotyml-file) in "{% data variables.product.prodname_dependabot %} options reference." 1. For each package manager, use: - * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in "Configuration options for the `dependabot.yml` file." - * `directory` to specify the location of the manifest or other definition files. For more information, see [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) in "Configuration options for the `dependabot.yml` file." - {% ifversion dependabot-updates-multidirectory-support %}- `directories` to specify the location of multiple manifest or other definition files. For more information, see [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) in "Configuration options for the `dependabot.yml` file."{% endif %} - * `schedule.interval` to specify how often to check for new versions. For more information, see [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) in "Configuration options for the `dependabot.yml` file." + * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem). + * {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` to specify the location of multiple manifest or other definition files.{% ifversion dependabot-updates-multidirectory-support %} For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).{% endif %} + * `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} ### Example `dependabot.yml` file -The example `dependabot.yml` file below configures version updates for two package managers: npm and Docker. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies. +The example `dependabot.yml` file below configures version updates for three package managers: npm, Docker, and {% data variables.product.prodname_actions %}. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies. -```yaml +```yaml copy # Basic `dependabot.yml` file with -# minimum configuration for two package managers +# minimum configuration for three package managers version: 2 updates: @@ -97,6 +96,14 @@ updates: # Check for updates once a week schedule: interval: "weekly" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + # Workflow files stored in the default location of `.github/workflows` + # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`. + directory: "/" + schedule: + interval: "weekly" ``` In the example above, if the Docker dependencies were very outdated, you might want to start with a `daily` schedule until the dependencies are up-to-date, and then drop back to a weekly schedule. @@ -118,7 +125,7 @@ After you enable version updates, the **Dependabot** tab in the dependency graph ![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png) -For information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). +For information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates). ## Disabling {% data variables.product.prodname_dependabot_version_updates %} @@ -165,4 +172,4 @@ updates: update-types: ["version-update:semver-patch"] ``` -For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore). diff --git a/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md b/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md new file mode 100644 index 000000000000..e160cd1f16b4 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md @@ -0,0 +1,297 @@ +--- +title: Controlling which dependencies are updated by Dependabot +intro: 'Learn how to configure your `dependabot.yml` file so that {% data variables.product.prodname_dependabot %} automatically updates the packages you specify, in the way you define.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Control dependency update +--- + +You can customize your {% data variables.product.prodname_dependabot %} configuration to suit your needs, by adding options to your `dependabot.yml` file. For example, you can make sure that {% data variables.product.prodname_dependabot %} uses the correct package manifest files, and updates only the dependencies you want maintained. + +This article collates customization options you may find useful. + +{% ifversion dependabot-updates-multidirectory-support %} + +## Defining multiple locations for manifest files + +If you want to enable {% data variables.product.prodname_dependabot_version_updates %} for manifest files stored in more than one location, you can use `directories` in place of `directory`. For example, this configuration sets two different update schedules for manifest files stored in different directories. + +```yaml copy +# Specify the locations of the manifest files to update for each package manager +# using both `directories` and `directory` + +version: 2 +updates: + - package-ecosystem: "bundler" + # Update manifest files stored in these directories weekly + directories: + - "/frontend" + - "/backend" + - "/admin" + schedule: + interval: "weekly" + - package-ecosystem: "bundler" + # Update manifest files stored in the root directory daily + directory: "/" + schedule: + interval: "daily" +``` + +* To specify a range of directories using a pattern + + ```yaml copy + # Specify the root directory and directories that start with "lib-", + # using globbing, for locations of manifest files + + version: 2 + updates: + - package-ecosystem: "composer" + directories: + - "/" + - "/lib-*" + schedule: + interval: "weekly" + ``` + +* To specify manifests in the current directory and recursive subdirectories + + ```yaml copy + # Specify all directories from the current layer and below recursively, + # using globstar, for locations of manifest files + + version: 2 + updates: + - package-ecosystem: "composer" + directories: + - "**/*" + schedule: + interval: "weekly" + ``` + +{% endif %} + +## Ignoring specific dependencies + +If you are not ready to adopt changes from certain dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods. + +* Configure the `ignore` option for the dependency in your `dependabot.yml` file. + * **You can use this to ignore updates for specific dependencies, versions, and types of updates.** + * For more information, see `ignore` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--). +* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. + * **You can use comment commands to ignore updates for specific dependencies and versions.** + * For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + +Here are some examples showing how `ignore` can be used to customize which dependencies are updated. + +* To ignore updates beyond a specific version + + ```yaml copy + ignore: + - dependency-name: "lodash:*" + # Ignore versions of Lodash that are equal to or greater than 1.0.0 + versions: [ ">=1.0.0" ] + ``` + + ```yaml copy + ignore: + - dependency-name: "sphinx" + versions: [ "[1.1,)" ] + ``` + +* To ignore patch updates + + ```yaml copy + ignore: + - dependency-name: "@types/node" + # Ignore patch updates for Node + update-types: ["version-update:semver-patch"] + ``` + +* To ignore specific versions or version ranges, see [Ignoring specific versions or ranges of versions](#ignoring-specific-versions-or-ranges-of-versions). + +If you want to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request. + +{% ifversion dependabot-version-updates-groups %}For pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request: + +* Un-ignore a specific ignore condition +* Un-ignore a specific dependency +* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request + +{% ifversion dependabot-grouped-security-updates-config %}{% else %} + +> [!NOTE] +> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates. + +{% endif %} + +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).{% endif %} + +## Allowing specific dependencies to be updated + +You can use `allow` to tell {% data variables.product.prodname_dependabot %} about the dependencies you want to maintain. `allow` is usually used in conjunction with `ignore`. + +For more information, see `allow` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--). + +By default, {% data variables.product.prodname_dependabot %} creates version update pull requests only for the dependencies that are explicitly defined in a manifest (`direct` dependencies). This configuration uses `allow` to tell {% data variables.product.prodname_dependabot %} that we want it to maintain `all` types of dependency. That is, both the `direct` dependencies and their dependencies (also known as indirect dependencies, sub-dependencies, or transient dependencies). In addition, the configuration tells {% data variables.product.prodname_dependabot %} to ignore all dependencies with a name matching the pattern `org.xwiki.*` because we have a different process for maintaining them. + +> [!TIP] +> {% data variables.product.prodname_dependabot %} checks for all **allowed** dependencies, then filters out any **ignored** dependencies. If a dependency is matched by an **allow** and an **ignore** statement, then it is ignored. + +```yaml copy +version: 2 +registries: + # Helps find updates for non Maven Central dependencies + maven-xwiki-public: + type: maven-repository + url: https://nexus.xwiki.org/nexus/content/groups/public/ + username: "" + password: "" + # Required to resolve xwiki-common SNAPSHOT parent pom + maven-xwiki-snapshots: + type: maven-repository + url: https://maven.xwiki.org/snapshots + username: "" + password: "" +updates: + - package-ecosystem: "maven" + directory: "/" + registries: + - maven-xwiki-public + - maven-xwiki-snapshots + schedule: + interval: "weekly" + allow: + # Allow both direct and indirect updates for all packages. + - dependency-type: "all" + ignore: + # Ignore XWiki dependencies. We have a separate process for updating them + - dependency-name: "org.xwiki.*" + open-pull-requests-limit: 15 +``` + +## Ignoring specific versions or ranges of versions + +You can use `versions` in conjunction with `ignore` to ignore specific versions or ranges of versions. + +For more information, see `versions` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versions-ignore). + +* To ignore a specific version + + ```yaml copy + ignore: + - dependency-name: "django*" + # Ignore version 11 + versions: [ "11" ] + ``` + +* To ignore a range of versions + + ```yaml copy + ignore: + - dependency-name: "@types/node" + versions: ["15.x", "14.x", "13.x"] + - dependency-name: "xdg-basedir" + # 5.0.0 has breaking changes as they switch to named exports + # and convert the module to ESM + # We can't use it until we switch to ESM across the project + versions: ["5.x"] + - dependency-name: "limiter" + # 2.0.0 has breaking changes + # so we want to delay updating. + versions: ["2.x"] + ``` + +## Specifying the semantic versioning level to ignore + +You can specify one or more semantic versioning (SemVer) levels to ignore using `update-types`. + +For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-ignore). + +In this example, {% data variables.product.prodname_dependabot %} will ignore patch versions for Node. + +```yaml copy +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + ignore: + - dependency-name: "express" + # For Express, ignore all updates for version 4 and 5 + versions: ["4.x", "5.x"] + # For Lodash, ignore all updates + - dependency-name: "lodash" + - dependency-name: "@types/node" + # For Node types, ignore any patch versions + update-types: ["version-update:semver-patch"] +``` + +## Defining a versioning strategy + +By default, {% data variables.product.prodname_dependabot %} tries to increase the minimum version requirement for dependencies it identifies as apps, and widens the allowed version requirements to include both the new and old versions for dependencies it identifies as libraries. + +You can change this default strategy. For more information, see `versioning-strategy` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--). + +In this example, {% data variables.product.prodname_dependabot %} will increase the minimum version requirement to match the new version for both apps and libraries. + +```yaml copy +version: 2 +updates: + - package-ecosystem: npm + directory: "/" + schedule: + interval: daily + # Increase the minimum version for all npm dependencies + versioning-strategy: increase +``` + +In this example, {% data variables.product.prodname_dependabot %} will **only** increase the minimum version requirement if the original constraint does not allow the new version. + +```yaml copy +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 20 + rebase-strategy: "disabled" + # Increase the version requirements for npm + # only when required + versioning-strategy: increase-if-necessary +``` + +## Updating vendored dependencies + +You can instruct {% data variables.product.prodname_dependabot %} to vendor specific dependencies when updating them. + +{% data variables.product.prodname_dependabot %} automatically maintains vendored dependencies for Go modules, and you can configure Bundler to also update vendored dependencies. + +For more information, see `vendor` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor--). + +In this example, `vendor` is set to `true` for Bundler, which means that {% data variables.product.prodname_dependabot %} will also maintain dependencies for Bundler that are stored in the _vendor/cache_ directory in the repository. + +```yaml copy +version: 2 +updates: +- package-ecosystem: bundler + directory: "/" + # Vendoring Bundler + vendor: true + schedule: + interval: weekly + day: saturday + open-pull-requests-limit: 10 +``` diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md new file mode 100644 index 000000000000..2eee0768ca66 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md @@ -0,0 +1,248 @@ +--- +title: Customizing Dependabot pull requests to fit your processes +intro: 'Learn how to tailor your Dependabot pull requests to better suit your own internal workflows.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Customize Dependabot PRs +--- + +There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes. + +For example: +* To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem. +* To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. + +There are several different customization options which can all be used in combination, and tailored per package ecosystem. + +## Automatically adding reviewers and assignees + +By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. + +However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem. + +The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have: +* A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests. +* An individual ("`user-name`") automatically assigned to the pull requests. + +```yaml copy +# `dependabot.yml` file with +# reviews and an assignee for all npm pull requests + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Raise all npm pull requests with reviewers + reviewers: + - "my-org/team-name" + - "octocat" + # Raise all npm pull requests with assignees + assignees: + - "user-name" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--). + +## Labeling pull requests with custom labels + +{% data reusables.dependabot.default-labels %} + +You can use `labels` to override the default labels and specify your own custom labels per package ecosystem. This is useful if, for example, you want to: +* Use labels to assign a priority to certain pull requests. +* Use labels to trigger another workflow, such as automatically adding the pull request onto a project board. + +The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have custom labels. + +```yaml copy +# `dependabot.yml` file with +# customized npm configuration + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Raise all npm pull requests with custom labels + labels: + - "npm dependencies" + - "triage-board" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--). + +## Adding a prefix to commit messages + +By default, {% data variables.product.prodname_dependabot %} attempts to detect your commit message preferences and use similar patterns. In addition, {% data variables.product.prodname_dependabot %} populates the titles of pull requests based on the commit messages. + +You can specify your own prefix for {% data variables.product.prodname_dependabot %}'s commit messages (and pull request titles) for a specific package ecosystem. This can be useful if, for example, you're running automations that process commit messages or pull requests titles. + +To specify your preferences explicitly, use `commit-message` together with the following supported options: + +* `prefix`: + * Specifies a prefix for all commit messages. + * Prefix is also added to the start of the pull request title. +* `prefix-development`: + * Specifies a separate prefix for all commit messages that update development dependencies, as defined by the package manager or ecosystem. + * Supported for `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. +* `include: "scope"`: + * Specifies that any prefix is followed by the dependency types (`deps` or `deps-dev`) updated in the commit. + +The example below shows several different options, tailored per package ecosystem: + +```yaml copy +# Customize commit messages + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + commit-message: + # Prefix all commit messages with "npm: " + prefix: "npm" + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + commit-message: + # Prefix all commit messages with [docker] " (no colon, but a trailing whitespace) + prefix: [docker] " + + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "weekly" + # Prefix all commit messages with "Composer" plus its scope, that is, a + # list of updated dependencies + commit-message: + prefix: "Composer" + include: "scope" + + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + # Include a list of updated dependencies + # with a prefix determined by the dependency group + commit-message: + prefix: "pip prod" + prefix-development: "pip dev" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message--). + +## Associating pull requests with a milestone + +Milestones help you track the progress of groups of pull requests (or issues) towards a project goal or release. With {% data variables.product.prodname_dependabot %}, you can use the `milestone` option to associate pull requests for dependency updates with a specific milestone. + +You must specify the numeric identifier of the milestone and not its label. To find the numeric identifier, check the final part of the page URL, after `milestone`. For example, for `https://github.com///milestone/3`, "`3`" is the numeric identifier of the milestone. + +```yaml copy +# Specify a milestone for pull requests + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Associate pull requests with milestone "4" + milestone: 4 +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`milestones`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#milestones--) and [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/about-milestones). + +## Changing the separator in the pull request branch name + +{% data variables.product.prodname_dependabot %} generates a branch for each pull request. Each branch name includes `dependabot`, as well as the name of the package manager and the dependency to be updated. By default, these parts of the branch name are separated by a `/` symbol, for example: +* `dependabot/npm_and_yarn/next_js/acorn-6.4.1` + +To maintain supportability or consistency with your existing processes, you may need to ensure your branch names align with your team's existing conventions. In this case, you can use `pull-request-branch-name.separator` to specify a different separator, choosing either `_`, `/`, or `"-"`. + +In the below example, the npm configuration changes the default separator from `/` to `"-"`, so that it would appear as such: +* Default (`/`): `dependabot/npm_and_yarn/next_js/acorn-6.4.1` +* Customized (`"-"`): `dependabot-npm_and_yarn-next_js-acorn-6.4.1` + +Note that the hyphen symbol (`"-"`) must be surrounded by quotation marks so that it's not interpreted as starting an empty YAML list. + +```yaml copy +# Specify a different separator for branch names + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + pull-request-branch-name: + # Change the default separator (/) to a hyphen (-) + separator: "-" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`pull-request-branch-name.separator`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-name.separator--). + +## Targeting pull requests against a non-default branch + +By default, {% data variables.product.prodname_dependabot %} checks for manifest files on the default branch and raises pull requests for updates against the default branch. + +Generally, it makes most sense to keep {% data variables.product.prodname_dependabot %}'s checks and updates on the default branch. However, there may be some cases where you may need to specify a different target branch. If, for example, your team's processes require you to first test and validate updates on a non-production branch, you can use `target-branch` to specify a different branch for {% data variables.product.prodname_dependabot %} to raise pull requests against. + +>[!NOTE] +> {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If you use `target-branch`, then as a result, all configuration settings for that package manager will then _only_ apply to version updates, and not security updates. + +```yaml copy +# Specify a non-default branch for pull requests for pip + +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + # Raise pull requests for version updates + # to pip against the `develop` branch + target-branch: "develop" + # Labels on pull requests for version updates only + labels: + - "pip dependencies" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Check for npm updates on Sundays + day: "sunday" + # Labels on pull requests for security and version updates + labels: + - "npm dependencies" +``` + +See also [`target-branch`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#target-branch--). diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md deleted file mode 100644 index dbef8ac1f814..000000000000 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md +++ /dev/null @@ -1,194 +0,0 @@ ---- -title: Customizing dependency updates -intro: 'You can customize how {% data variables.product.prodname_dependabot %} maintains your dependencies.' -permissions: '{% data reusables.permissions.dependabot-yml-configure %}' -redirect_from: - - /github/administering-a-repository/customizing-dependency-updates - - /code-security/supply-chain-security/customizing-dependency-updates - - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates -versions: - fpt: '*' - ghec: '*' - ghes: '*' -type: how_to -topics: - - Dependabot - - Version updates - - Security updates - - Repositories - - Dependencies - - Pull requests - - Vulnerabilities -shortTitle: Customize updates ---- - -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About customizing dependency updates - -After you've enabled version updates, you can customize how {% data variables.product.prodname_dependabot %} maintains your dependencies by adding further options to the `dependabot.yml` file. For example, you could: - -* Specify which day of the week to open pull requests for version updates: `schedule.day` -* Set reviewers, assignees, and labels for each package manager: `reviewers`, `assignees`, and `labels`{%- ifversion dependabot-version-updates-groups %} -* Create groups of dependencies (per package ecosystem), so that {% data variables.product.prodname_dependabot %} updates the group of dependencies in a single pull request: `groups`{% endif %} -* Define a versioning strategy for changes to each manifest file: `versioning-strategy` -* Change the maximum number of open pull requests for version updates from the default of 5: `open-pull-requests-limit` -* Open pull requests for version updates to target a specific branch, instead of the default branch: `target-branch` - -For more information about the configuration options, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). - -When you update the `dependabot.yml` file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). - -## Impact of configuration changes on security updates - -If you customize the `dependabot.yml` file, you may notice some changes to the pull requests raised for security updates. These pull requests are always triggered by a security advisory for a dependency, rather than by the {% data variables.product.prodname_dependabot %} schedule. However, they inherit relevant configuration settings from the `dependabot.yml` file unless you specify a different target branch for version updates. - -For an example, see [Setting custom labels](#setting-custom-labels) below. - -{% ifversion dependabot-grouped-security-updates-config %} - -> [!NOTE] -> If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). - -{% endif %} - -## Modifying scheduling - -When you set a `daily` update schedule, by default, {% data variables.product.prodname_dependabot %} checks for new versions at 05:00 UTC. You can use `schedule.time` to specify an alternative time of day to check for updates (format: `hh:mm`). - -The example `dependabot.yml` file below expands the npm configuration to specify when {% data variables.product.prodname_dependabot %} should check for version updates to dependencies. - -```yaml -# `dependabot.yml` file with -# customized schedule for version updates - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - # Check the npm registry for updates at 2am UTC - schedule: - interval: "daily" - time: "02:00" -``` - -## Setting reviewers and assignees - -By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. - -You can use `reviewers` and `assignees` to specify reviewers and assignees for all pull requests raised for a package manager. When you specify a team, you must use the full team name, as if you were @mentioning the team (including the organization). - -The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have two reviewers and one assignee. - -```yaml -# `dependabot.yml` file with -# reviews and an assignee for all npm pull requests - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Raise all npm pull requests with reviewers - reviewers: - - "my-org/team-name" - - "octocat" - # Raise all npm pull requests with an assignee - assignees: - - "user-name" -``` - -## Setting custom labels - -{% data reusables.dependabot.default-labels %} - -You can use `labels` to override the default labels and specify alternative labels for all pull requests raised for a package manager. You can't create new labels in the `dependabot.yml` file, so the alternative labels must already exist in the repository. - -The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have custom labels. It also changes the Docker configuration to check for version updates against a custom branch and to raise pull requests with custom labels against that custom branch. The changes to Docker will not affect security update pull requests because security updates are always made against the default branch. - -> [!NOTE] -> The new `target-branch` must contain a Dockerfile to update, otherwise this change will have the effect of disabling version updates for Docker. - -```yaml -# `dependabot.yml` file with -# customized npm configuration - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Raise all npm pull requests with custom labels - labels: - - "npm dependencies" - - "triage-board" - - # Keep Docker dependencies up to date - - package-ecosystem: "docker" - directory: "/" - schedule: - interval: "weekly" - # Raise pull requests for Docker version updates - # against the "develop" branch. The Docker configuration - # no longer affects security update pull requests. - target-branch: "develop" - # Use custom labels on pull requests for Docker version updates - labels: - - "Docker dependencies" - - "triage-board" -``` - -{% ifversion dependabot-version-updates-groups %} - -## Grouping {% data variables.product.prodname_dependabot_updates %} into one pull request - -{% data reusables.dependabot.dependabot-version-updates-groups-about %} - -{% data reusables.dependabot.dependabot-version-updates-groups-semver %} - -{% data reusables.dependabot.dependabot-version-updates-groups-match-first %} - -{% ifversion dependabot-grouped-security-updates-config %}{% data reusables.dependabot.dependabot-security-updates-groups-supported %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} - -You must configure groups per package ecosystem. - -### Example configurations for `groups` - -{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} - -For more information about configuring dependency groups in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). - -{% endif %} - -## Ignoring specific dependencies for {% ifversion dependabot-grouped-security-updates-config %}{% data variables.product.prodname_dependabot_updates %}{% else %}{% data variables.product.prodname_dependabot_version_updates %}{% endif %} - -If you are not ready to adopt changes from dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods. - -* Configure the `ignore` option for the dependency in your `dependabot.yml` file. You can use this to ignore updates for specific dependencies, versions, and types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). -* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can use comment commands to ignore updates for specific dependencies and versions. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). - -If you would like to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request. - -{% ifversion dependabot-version-updates-groups %}For pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request: - -* Un-ignore a specific ignore condition -* Un-ignore a specific dependency -* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request - -{% ifversion dependabot-grouped-security-updates-config %}{% else %} - -> [!NOTE] -> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates. - -{% endif %} - -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).{% endif %} - -## More examples - -For more examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). diff --git a/content/code-security/dependabot/dependabot-version-updates/index.md b/content/code-security/dependabot/dependabot-version-updates/index.md index 471ac2be6bb0..366ec0da3382 100644 --- a/content/code-security/dependabot/dependabot-version-updates/index.md +++ b/content/code-security/dependabot/dependabot-version-updates/index.md @@ -5,6 +5,10 @@ allowTitleToDifferFromFilename: true redirect_from: - /github/administering-a-repository/keeping-your-dependencies-updated-automatically - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically + - /github/administering-a-repository/customizing-dependency-updates + - /code-security/supply-chain-security/customizing-dependency-updates + - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates + - /code-security/dependabot/dependabot-version-updates/customizing-dependency-updates versions: fpt: '*' ghec: '*' @@ -18,9 +22,8 @@ topics: children: - /about-dependabot-version-updates - /configuring-dependabot-version-updates - - /listing-dependencies-configured-for-version-updates - - /customizing-dependency-updates - - /configuration-options-for-the-dependabot.yml-file + - /optimizing-pr-creation-version-updates + - /customizing-dependabot-prs + - /controlling-dependencies-updated shortTitle: Dependabot version updates --- - diff --git a/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md new file mode 100644 index 000000000000..e83c435beaa6 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md @@ -0,0 +1,73 @@ +--- +title: Optimizing the creation of pull requests for Dependabot version updates +intro: 'Learn how to streamline and efficiently manage your {% data variables.product.prodname_dependabot %} pull requests.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + feature: dependabot-version-updates-groups +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Optimize PR creation +--- + +By default, {% data variables.product.prodname_dependabot %} opens a new pull request to update each dependency. When you enable security updates, new pull requests are opened when a vulnerable dependency is found. When you configure version updates for one or more ecosystems, new pull requests are opened when new versions of dependencies are available, with the frequency defined in the `dependabot.yml` file. + +If your project has many dependencies, you might find that you have a very large number of {% data variables.product.prodname_dependabot %} pull requests to review and merge, which can quickly become difficult to manage. + +There are a couple of customization options you can implement to optimize {% data variables.product.prodname_dependabot %} update pull requests to align with your processes, such as: +* **Controlling the frequency** with which {% data variables.product.prodname_dependabot %} checks for newer versions of your dependencies with `schedule`. +* **Prioritize meaningful updates** with `groups`. + +## Controlling the frequency and timings of dependency updates + +{% data variables.product.prodname_dependabot %} runs its checks for version updates at a frequency set by you in the configuration file (where the required field, `schedule.interval`, must be set to `daily`, `weekly`, or `monthly`). + +By default, {% data variables.product.prodname_dependabot %} balances its workload by assigning a random time to check and raise pull requests for dependency updates. + +However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer {% data variables.product.prodname_dependabot %} to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session. + +You can use `schedule` with a combination of options to modify the frequency and timings of when {% data variables.product.prodname_dependabot %} checks for version updates + +The example `dependabot.yml` file below changes the npm configuration to specify that {% data variables.product.prodname_dependabot %} should check for version updates to npm dependencies every day at 02:00 Japanese Standard Time (UTC +09:00). + +```yaml copy +# `dependabot.yml` file with +# customized schedule for version updates + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + # Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00) + schedule: + interval: "weekly" + day: "tuesday" + time: "02:00" + timezone: "Asia/Tokyo" +``` + +See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule-). + +## Prioritizing meaningful updates + +You can use `groups` to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase. + +You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria: + +{% ifversion dependabot-grouped-security-updates-config %} +* {% data variables.product.prodname_dependabot %} update type: `applies-to`{% endif %} +* Type of dependency: `dependency-type`. +* Dependency name: `patterns` and `exclude-patterns` +* Semantic versioning levels: `update-types` + +To see all supported values for each criterion, see [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--). + +The below examples present several different methods to create groups of dependencies using the criteria. + +{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index 9e43640d73f7..ea2e5e7e89ee 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -29,8 +29,8 @@ In this article, you can see what the supported ecosystems and repositories are. ## Supported ecosystems and repositories -You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#vendor). -{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries). +You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor). +{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). {% ifversion ghes %} > [!NOTE] diff --git a/content/code-security/dependabot/index.md b/content/code-security/dependabot/index.md index 54b1d60dc439..16246ea41cea 100644 --- a/content/code-security/dependabot/index.md +++ b/content/code-security/dependabot/index.md @@ -20,4 +20,6 @@ children: - /dependabot-security-updates - /dependabot-version-updates - /working-with-dependabot + - /maintain-dependencies + - /troubleshooting-dependabot --- diff --git a/content/code-security/dependabot/maintain-dependencies/index.md b/content/code-security/dependabot/maintain-dependencies/index.md new file mode 100644 index 000000000000..de9090464d90 --- /dev/null +++ b/content/code-security/dependabot/maintain-dependencies/index.md @@ -0,0 +1,17 @@ +--- +title: Maintaining dependencies at scale +shortTitle: Maintain dependencies at scale +intro: 'You can use {% data variables.product.prodname_dependabot %} to automatically update your dependencies for your repositories and organizations.' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Organizations + - Security + - Dependencies +children: + - /managing-dependabot-on-self-hosted-runners + - /removing-dependabot-access-to-public-registries +--- diff --git a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md b/content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md similarity index 96% rename from content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md rename to content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md index 148380121511..fc4311d9b41e 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md +++ b/content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md @@ -13,6 +13,8 @@ topics: - Actions - Dependencies - Repositories +redirect_from: + - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners --- ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners @@ -29,7 +31,7 @@ To have greater control over {% data variables.product.prodname_dependabot %} ac For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories. -For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). ## Prerequisites @@ -68,8 +70,7 @@ If {% data variables.product.prodname_dependabot %} needs to interact with regis * Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with. 1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner). - -1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events). +1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). ## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %} diff --git a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md b/content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md similarity index 83% rename from content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md rename to content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md index 96daffbc9527..58a0524f342c 100644 --- a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md +++ b/content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md @@ -13,6 +13,7 @@ topics: shortTitle: Remove access to public registries redirect_from: - /code-security/dependabot/working-with-dependabot/configuring-dependabot-to-only-access-private-registries + - /code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries --- ## About configuring {% data variables.product.prodname_dependabot %} to only access private registries @@ -32,11 +33,11 @@ You can configure {% data variables.product.prodname_dependabot %} to access _on ## Bundler -To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). +To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#rubygems-server). The Bundler ecosystem additionally requires a `Gemfile` file with the private registry URL to be checked into the repository. -```yaml +```yaml copy # Example Gemfile source "https://private_registry_url" @@ -48,12 +49,12 @@ To configure the Docker ecosystem to only access private registries, you can use **Option 1** -Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). +Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. -```yaml +```yaml copy version: 2 registries: azuretestregistry: # Define access for a private registry @@ -65,19 +66,19 @@ registries: In the `Dockerfile` file, add the image name in the format of `IMAGE[:TAG]`, where `IMAGE` consists of your username and the name of the repository. -```yaml +```yaml copy FROM firewallregistrydep.azurecr.io/myreg/ubuntu:22.04 ``` **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. ## Gradle To configure the Gradle ecosystem to only access private registries, you can use these configuration methods. -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). > [!NOTE] > Remove replaces-base: true from the configuration file. @@ -100,7 +101,7 @@ To configure the Maven ecosystem to only access private registries, you can use **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). **Option 2** @@ -127,20 +128,20 @@ To configure the npm ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. The npm ecosystem additionally requires a `.npmrc` file with the private registry URL to be checked into the repository. - ```yaml + ```yaml copy registry=https://private_registry_url ``` **Option 2** -If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -155,14 +156,14 @@ To configure the Yarn Classic ecosystem to only access private registries, you c **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL. -```yaml +```yaml copy encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" @@ -177,13 +178,13 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour 1. Define the private registry configuration in a `dependabot.yml` file 1. Add the registry to a `.yarnrc` file in the project root with the key registry. Alternatively run `yarn config set registry `. - ```yaml + ```yaml copy registry https://private_registry_url ``` **Option 3** -If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -194,7 +195,7 @@ To configure the Yarn Berry ecosystem to only access private registries, you can **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -203,7 +204,7 @@ To ensure the private registry is listed as the dependency source in the project {% raw %} -```yaml +```yaml copy encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" @@ -228,7 +229,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour ## NuGet -To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). +To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#nuget-feed). The NuGet ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. @@ -260,7 +261,7 @@ This is an example of adding key `nuget.org` as true to the `disabledPackageSour To configure {% data variables.product.prodname_dependabot %} to access both private _and_ public feeds, view the following `dependabot.yml` example which includes the configured `public` feed under `registries`: -```yaml +```yaml copy version: 2 registries: nuget-example: @@ -289,14 +290,14 @@ To configure the Pip ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `[global]` section of the `pip.conf` file and check the file into the repository. - ```yaml + ```yaml copy [global] timeout = 60 index-url = https://private_registry_url @@ -304,7 +305,7 @@ Add the private registry URL to the `[global]` section of the `pip.conf` file an **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). ### Pip-compile @@ -312,31 +313,31 @@ To configure the Pip-compile ecosystem to only access private registries, you ca **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). **Option 2** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `requirements.txt` file and check the file into the repository. -```yaml +```yaml copy --index-url https://private_registry_url ``` ### Pipenv -To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `[[source]]` section of the `Pipfile` file and check the file into the repository. -```yaml +```yaml copy [[source]] url = "https://private_registry_url" verify_ssl = true @@ -345,11 +346,11 @@ name = "pypi" ### Poetry -To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). Add the private registry url to the `[[tool.poetry.source]]` section of the `pyproject.toml` file and checked it in the repository. -```yaml +```yaml copy [[tool.poetry.source]] name = "private" url = "https://private_registry_url" diff --git a/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md b/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md new file mode 100644 index 000000000000..0520dfdf0c22 --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md @@ -0,0 +1,60 @@ +--- +title: Dependabot update pull requests no longer generated +intro: '{% data variables.product.prodname_dependabot %} can pause updates based on your interaction with {% data variables.product.prodname_dependabot %} pull requests. Learn more about the automatic deactivation of {% data variables.product.prodname_dependabot_updates %}.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependabot stopped working +--- + +* When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. + +* {% data variables.product.prodname_dependabot %} stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests. + +## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} + +{% data variables.product.prodname_dependabot %} pauses updates on your repositories, based on your interaction with pull requests from {% data variables.product.prodname_dependabot_updates %}. When {% data variables.product.prodname_dependabot %} automatically deactivates {% data variables.product.prodname_dependabot_updates %}, there is: + +* No creation of pull requests for version and security updates. +* No rebasing of {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. + +>[!NOTE] The automatic deactivation of {% data variables.product.prodname_dependabot %} updates only applies to repositories where {% data variables.product.prodname_dependabot %} has opened pull requests but the pull requests remain untouched. If {% data variables.product.prodname_dependabot %} hasn't opened any pull requests, {% data variables.product.prodname_dependabot %} will never become paused. + +An active repository is a repository where a user (**not** {% data variables.product.prodname_dependabot %}) has taken **any** of the following actions in the last 90 days: + +* Merged or closed a {% data variables.product.prodname_dependabot %} pull request on the repository. +* Made a change to the `dependabot.yml` file for the repository. +* Manually triggered a security update or a version update. +* Enabled {% data variables.product.prodname_dependabot_security_updates %} for the repository. +* Used `@dependabot` commands on pull requests. + +An inactive repository is a repository: + +* That has at least one {% data variables.product.prodname_dependabot %} pull request open for more than 90 days, +* That has been enabled for the full period, and +* Where none of the actions listed above has been taken by a user. + +## How to know if {% data variables.product.prodname_dependabot_updates %} are paused + +When {% data variables.product.prodname_dependabot %} is paused, {% data variables.product.github %} adds a banner notice: +* To all open {% data variables.product.prodname_dependabot %} pull requests. +* To the UI of the **Settings** tab of the repository (under {% ifversion ghes %}**Code security and analysis**{% else %}**Code security**{% endif %}, then **{% data variables.product.prodname_dependabot %}**). +* To the list of {% data variables.product.prodname_dependabot_alerts %} (if {% data variables.product.prodname_dependabot_security_updates %} are affected). + +{% ifversion dependabot-updates-paused-enterprise-orgs %} Additionally, you will be able to see whether {% data variables.product.prodname_dependabot %} is paused at the organization level in the security overview. The `paused` status will also be visible via the API. For more information, see [AUTOTITLE](/rest/repos#enable-automated-security-fixes).{% endif %} + +## About automatic reactivation of {% data variables.product.prodname_dependabot_updates %} + +As soon as someone interacts with a {% data variables.product.prodname_dependabot %} pull request again, {% data variables.product.prodname_dependabot %} will unpause itself: +* Security updates are automatically resumed for {% data variables.product.prodname_dependabot_alerts %}. +* Version updates are automatically resumed with the schedule specified in the `dependabot.yml` file. diff --git a/content/code-security/dependabot/troubleshooting-dependabot/index.md b/content/code-security/dependabot/troubleshooting-dependabot/index.md new file mode 100644 index 000000000000..3ca1c139c11d --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/index.md @@ -0,0 +1,23 @@ +--- +title: Troubleshooting Dependabot +intro: 'If you have problems with {% data variables.product.prodname_dependabot %}, you can use tips in these articles to help resolve issues.' +allowTitleToDifferFromFilename: true +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Dependencies + - Alerts + - Vulnerabilities + - Repositories +shortTitle: Troubleshoot Dependabot +children: + - /listing-dependencies-configured-for-version-updates + - /viewing-dependabot-job-logs + - /dependabot-updates-stopped + - /troubleshooting-dependabot-errors + - /troubleshooting-dependabot-on-github-actions + - /troubleshooting-the-detection-of-vulnerable-dependencies +--- diff --git a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md b/content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md similarity index 82% rename from content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md rename to content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md index 407b1e0107dd..2574bfda1561 100644 --- a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md @@ -6,6 +6,7 @@ redirect_from: - /github/administering-a-repository/listing-dependencies-configured-for-version-updates - /code-security/supply-chain-security/listing-dependencies-configured-for-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/listing-dependencies-configured-for-version-updates + - /code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates versions: fpt: '*' ghec: '*' @@ -35,20 +36,14 @@ After you've enabled version updates, you can confirm that your configuration is If any dependencies are missing, check the log files for errors. If any package managers are missing, review the configuration file. -## Viewing {% data variables.product.prodname_dependabot %} log files - {% ifversion dependabot-job-log %} -{% data reusables.dependabot.dependabot-jobs-log-access %} - -To view the full logs files for a particular job, to the right of the log entry you are interested in, click **view logs**. - -![Screenshot of a Dependabot job log entry for the Gemfile package manager. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-logs.png) - -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +For information about {% data variables.product.prodname_dependabot %} job logs, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). {% else %} +## Viewing {% data variables.product.prodname_dependabot %} log files + 1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked _TIME_ ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. 1. Optionally, to rerun the version check, click **Check for updates**. diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md similarity index 92% rename from content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md rename to content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md index 3a1b57660d4f..e506b79fe1da 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md @@ -7,6 +7,7 @@ redirect_from: - /github/managing-security-vulnerabilities/troubleshooting-dependabot-errors - /code-security/supply-chain-security/troubleshooting-dependabot-errors - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-dependabot-errors + - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors versions: fpt: '*' ghec: '*' @@ -36,13 +37,14 @@ If anything prevents {% data variables.product.prodname_dependabot %} from raisi {% ifversion dependabot-on-actions-opt-in %} For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). + {% endif %} ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. -![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view, showing two alerts. To the right side of one alert, a link to a pull request, titled "#353", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-alert-pr-link.png) +![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. To the right of one alert, a link to a pull request, titled "#353", is outlined in orange.](/assets/images/help/dependabot/dependabot-alert-pr-link.png) There are several reasons why an alert may have no pull request link: @@ -64,7 +66,7 @@ To view the full logs files for a particular job, to the right of the log entry ![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png) -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). {% else %} @@ -144,7 +146,7 @@ If a security update times out, you can reduce the chances of this happening by There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit). The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see [Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually). @@ -171,7 +173,7 @@ To allow {% data variables.product.prodname_dependabot %} to update the dependen ### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_version_updates %} -{% ifversion dependabot-grouped-security-updates-config %}The [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. +{% ifversion dependabot-grouped-security-updates-config %}The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} @@ -179,7 +181,7 @@ When you configure grouped version updates, you must configure groups per packag You may have unintentionally created empty groups. This happens, for example, when you set a `dependency-type` in the `allow` key for the overall job. -```yaml +```yaml copy allow: dependency-type: production # this restricts the entire job to production dependencies @@ -197,13 +199,13 @@ In this example, {% data variables.product.prodname_dependabot %} will: You need to ensure that configuration settings don't cancel each other, and update them appropriately in your configuration file. -For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). +For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups). {% ifversion dependabot-grouped-security-updates-config %} ### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_security_updates %} -The [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. +The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %} @@ -214,7 +216,7 @@ For grouped security updates, {% data variables.product.prodname_dependabot %} u * {% data variables.product.prodname_dependabot %} **will not** group dependencies from different package ecosystems together. * {% data variables.product.prodname_dependabot %} **will not** group security updates with version updates. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#impact-of-configuration-changes-on-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). {% endif %} @@ -262,4 +264,4 @@ If you unblock {% data variables.product.prodname_dependabot %}, you can manuall ## Further reading * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md new file mode 100644 index 000000000000..6b992b71bc91 --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md @@ -0,0 +1,108 @@ +--- +title: Troubleshooting Dependabot on GitHub Actions +intro: 'This article provides troubleshooting information for issues you may encounter when using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Actions + - Dependabot + - Version updates + - Security updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Troubleshoot Dependabot on Actions +redirect_from: + - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions +--- + +## Restrictions when {% data variables.product.prodname_dependabot %} triggers events + +{% data reusables.dependabot.working-with-actions-considerations %} + +For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply: + +* `GITHUB_TOKEN` has read-only permissions by default. +* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. + +For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available. + +These restrictions apply even if the workflow is re-run by a different actor. + +For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). + +## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows + +{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} + +Some troubleshooting advice is provided in this article. You can also see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). + +### Accessing secrets + +When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are **not available**. You must therefore store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). + +{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). + +If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. + +For examples that use conditions, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions). + +To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. + +In this example, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. + +```yaml copy +name: CI +on: + pull_request: + branches: [ main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: {% data reusables.actions.action-checkout %} + + - name: Login to private container registry for dependencies + uses: docker/login-action@3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c + with: + registry: https://1234567890.dkr.ecr.us-east-1.amazonaws.com + username: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY_ID }}{% endraw %} + password: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY }}{% endraw %} + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) +``` + +### Changing `GITHUB_TOKEN` permissions + +By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token: + +{% raw %} + +```yaml copy +name: CI +on: pull_request + +# Set the access for individual scopes, or use permissions: write-all +permissions: + pull-requests: write + issues: write + repository-projects: write + ... + +jobs: + ... +``` + +{% endraw %} + +For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). + +## Manually re-running a workflow + +When you manually re-run a {% data variables.product.prodname_dependabot %} workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md similarity index 95% rename from content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md rename to content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 4d85ea83157e..2f50c05f190d 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -6,6 +6,7 @@ redirect_from: - /github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies - /code-security/supply-chain-security/troubleshooting-the-detection-of-vulnerable-dependencies - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies + - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies versions: fpt: '*' ghes: '*' @@ -32,7 +33,7 @@ topics: * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies and malware. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} * The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). * {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies). @@ -85,7 +86,7 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var ## Can Dependabot ignore specific dependencies? -You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). ## Further reading @@ -93,5 +94,5 @@ You can configure {% data variables.product.prodname_dependabot %} to ignore spe * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} * [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners){% endif %} diff --git a/content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md b/content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md similarity index 96% rename from content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md rename to content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md index af6efec28384..91efc7a59701 100644 --- a/content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md @@ -12,6 +12,8 @@ topics: - Errors - Security updates - Dependencies +redirect_from: + - /code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs --- ## About {% data variables.product.prodname_dependabot %} job logs diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 25a6b2111d56..b77a81fc1ae5 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -53,7 +53,7 @@ Future releases of {% data variables.product.product_name %} will remove the abi If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint. ->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners). +>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners). Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run. @@ -91,11 +91,11 @@ If you run into {% data variables.product.prodname_dependabot %} timeouts and ou > [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates). 1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). -1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. +1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. ## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners -When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). @@ -120,4 +120,4 @@ To re-run a {% data variables.product.prodname_dependabot_version_updates %} or ## Further reading -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 6940670b63aa..0ac8a10d565a 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -20,107 +20,36 @@ redirect_from: - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions --- -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} - -{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request. - {% ifversion dependabot-on-actions-opt-in %} ->[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead. -{% endif %} - -## Responding to events - -{% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently. - -For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, the following restrictions apply: - -* `GITHUB_TOKEN` has read-only permissions by default. -* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. - -For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available. - -These restrictions apply even if the workflow is re-run by a different actor. - -For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). - -### Changing `GITHUB_TOKEN` permissions - -By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token: - -{% raw %} - -```yaml -name: CI -on: pull_request - -# Set the access for individual scopes, or use permissions: write-all -permissions: - pull-requests: write - issues: write - repository-projects: write - ... -jobs: - ... -``` - -{% endraw %} - -For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). - -### Accessing secrets - -When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). - -{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). - -If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see [Common automations](#common-dependabot-automations) below. - -To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. In the example below, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. +>[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} using {% data variables.product.prodname_actions %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead. +{% endif %} -```yaml -name: CI -on: - pull_request: - branches: [ main ] +You can use {% data variables.product.prodname_actions %} to perform automated tasks when {% data variables.product.prodname_dependabot %} creates pull requests to update dependencies. You may find this useful if you want to: -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: {% data reusables.actions.action-checkout %} +* Ensure that {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) are created with the right data for your work processes, including labels, names, and reviewers. - - name: Login to private container registry for dependencies - uses: docker/login-action@3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c - with: - registry: https://1234567890.dkr.ecr.us-east-1.amazonaws.com - username: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY_ID }}{% endraw %} - password: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY }}{% endraw %} +* Trigger workflows to send {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) into your review process or to merge automatically. - - name: Build the Docker image - run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) -``` +{% data reusables.dependabot.enterprise-enable-dependabot %} -### Manually re-running a workflow +## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} -When you manually re-run a Dependabot workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). +{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. -## Common Dependabot automations +{% data reusables.dependabot.working-with-actions-considerations %} For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions). -Here are several common scenarios that can be automated using {% data variables.product.prodname_actions %}. +Here are several common scenarios for pull requests that can be automated using {% data variables.product.prodname_actions %}. -### Fetch metadata about a pull request +## Fetching metadata about a pull request -A large amount of automation requires knowing information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. +Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by {% data variables.product.prodname_dependabot %}. -The `dependabot/fetch-metadata` action provides all that information for you: +Example: {% raw %} -```yaml +```yaml copy name: Dependabot fetch metadata on: pull_request @@ -149,15 +78,15 @@ jobs: For more information, see the [`dependabot/fetch-metadata`](https://github.com/dependabot/fetch-metadata) repository. -### Label a pull request +## Labeling a pull request -If you have other automation or triage workflows based on {% data variables.product.prodname_dotcom %} labels, you can configure an action to assign labels based on the metadata provided. +If you have other automation or triage workflows based on {% data variables.product.github %} labels, you can configure an action to assign labels based on the metadata provided. -For example, if you want to flag all production dependency updates with a label: +Example that flags all production dependency updates with a label: {% raw %} -```yaml +```yaml copy name: Dependabot auto-label on: pull_request @@ -185,13 +114,15 @@ jobs: {% endraw %} -### Approve a pull request +## Automatically approving a pull request -If you want to automatically approve Dependabot pull requests, you can use the {% data variables.product.prodname_cli %} in a workflow: +You can automatically approve {% data variables.product.prodname_dependabot %} pull requests by using the {% data variables.product.prodname_cli %} in a workflow. + +Example: {% raw %} -```yaml +```yaml copy name: Dependabot auto-approve on: pull_request @@ -217,20 +148,17 @@ jobs: {% endraw %} -### Enable auto-merge on a pull request - -If you want to allow maintainers to mark certain pull requests for auto-merge, you can use {% data variables.product.prodname_dotcom %}'s auto-merge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). +## Enabling automerge on a pull request -{% ifversion repo-rules %}As an alternative to branch protection rules, you can create rulesets. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).{% endif %} +If you want to allow maintainers to mark certain pull requests for automerge, you can use {% data variables.product.prodname_dotcom %}'s automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. -> [!NOTE] -> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). +For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). -You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that auto merges all patch updates to `my-dependency`: +You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that automerges all patch updates to `my-dependency`: {% raw %} -```yaml +```yaml copy name: Dependabot auto-merge on: pull_request @@ -258,7 +186,10 @@ jobs: {% endraw %} -## Troubleshooting failed workflow runs +> [!NOTE] +> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). + +## Investigating failed workflow runs If your workflow run fails, check the following: @@ -268,3 +199,5 @@ If your workflow run fails, check the following: * You have a `GITHUB_TOKEN` with the correct permissions. For information on writing and debugging {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). + +For more tips to help resolve issues with workflows, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions). diff --git a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md index 21ddf41cc653..174d0034798b 100644 --- a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md @@ -23,13 +23,13 @@ shortTitle: Configure access to private registries ## About private registries -{% data variables.product.prodname_dependabot_version_updates %} keeps your dependencies up-to-date. {% data variables.product.prodname_dependabot %} can access public registries. In addition, you can give {% data variables.product.prodname_dependabot_version_updates %} access to private package registries and private {% data variables.product.prodname_dotcom %} repositories so that you can keep your private and innersource dependencies as up-to-date as your public dependencies. +{% data variables.product.prodname_dependabot_version_updates %} keeps your dependencies up-to-date and {% data variables.product.prodname_dependabot_security_updates %} updates vulnerable dependencies. {% data variables.product.prodname_dependabot %} can access public registries. In addition, you can give {% data variables.product.prodname_dependabot %} access to private package registries and private {% data variables.product.github %} repositories so that you can keep your private and innersource dependencies as up-to-date and secure as your public dependencies. In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication. -For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). -{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners).{% endif %} +{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).{% endif %} ## Configuring private registries @@ -40,7 +40,7 @@ The top-level `registries` key is optional and specifies authentication details. {% data reusables.dependabot.dependabot-updates-registries-options %} -For more information about the configuration options that are available, how to use them, and about the supported types, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +For more information about the configuration options that are available and about the supported types, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). ## Storing credentials for Dependabot to use @@ -51,20 +51,18 @@ To give {% data variables.product.prodname_dependabot %} access to the private r {% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret, it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry. -{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets). +{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets). After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the `dependabot.yml` configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example: {% raw %} -```yaml +```yaml copy password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} ``` {% endraw %} -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). - #### Naming your secrets The name of a {% data variables.product.prodname_dependabot %} secret: @@ -118,3 +116,374 @@ You can add {% data variables.product.prodname_dependabot %}-related IP addresse If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. If you run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, you should instead use the IP addresses under the `actions` key. For more information, see [AUTOTITLE](/rest/meta/meta) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% endif %} + +## Allowing external code execution + +When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. However, some version updates may fail. + +If you need to allow {% data variables.product.prodname_dependabot %} to access a private package registry and enable limited external code execution, you can set `insecure-external-code-execution` to `allow`. Any external code execution will only have access to the package managers in the registries associated with the enclosing `updates` setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. + +In this example, the configuration file allows {% data variables.product.prodname_dependabot %} to access the `ruby-github` private package registry. In the same `updates`setting, `insecure-external-code-execution`is set to `allow`, which means that the code executed by dependencies will only access the `ruby-github` registry, and not the `dockerhub` registry. +{% raw %} + +```yaml copy +# Allow external code execution when updating dependencies from private registries + +version: 2 +registries: + ruby-github: + type: rubygems-server + url: https://rubygems.pkg.github.com/octocat/github_api + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} +updates: + - package-ecosystem: "bundler" + directory: "/rubygems-server" + insecure-external-code-execution: allow + registries: "*" + schedule: + interval: "monthly" +``` + +{% endraw %} + +## Supported private registeries + +Examples of how to configure access to the private registries supported by {% data variables.product.prodname_dependabot %}. + +{% ifversion dependabot-updates-cargo-private-registry-support %} +* [`cargo-registry`](#cargo-registry){% endif %} +* [`composer-repository`](#composer-repository) +* [`docker-registry`](#docker-registry) +* [`git`](#git) +* [`hex-organization`](#hex-organization) +* [`hex-repository`](#hex-repository) +* [`maven-repository`](#maven-repository) +* [`npm-registry`](#npm-registry) +* [`nuget-feed`](#nuget-feed){% ifversion dependabot-updates-pub-private-registry %} +* [`pub-repository`](#pub-repository){% endif %} +* [`python-index`](#python-index) +* [`rubygems-server`](#rubygems-server) +* [`terraform-registry`](#terraform-registry) + +{% ifversion dependabot-updates-cargo-private-registry-support %} + +### `cargo-registry` + +The `cargo-registry` type supports a token. + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% data reusables.dependabot.cargo-private-registry-config-example %} + +{% endif %} + +### `composer-repository` + +The `composer-repository` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + composer: + type: composer-repository + url: https://repo.packagist.com/example-company/ + username: octocat + password: ${{secrets.MY_PACKAGIST_PASSWORD}} +``` + +{% endraw %} + +### `docker-registry` + +{% data variables.product.prodname_dependabot %} works with any container registries that implement the OCI container registry spec. For more information, see [https://github.com/opencontainers/distribution-spec/blob/main/spec.md](https://github.com/opencontainers/distribution-spec/blob/main/spec.md). {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia. + +The `docker-registry` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + dockerhub: + type: docker-registry + url: https://registry.hub.docker.com + username: octocat + password: ${{secrets.MY_DOCKERHUB_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +The `docker-registry` type can also be used to pull from private Amazon ECR using static AWS credentials. + +{% raw %} + +```yaml copy +registries: + ecr-docker: + type: docker-registry + url: https://1234567890.dkr.ecr.us-east-1.amazonaws.com + username: ${{secrets.ECR_AWS_ACCESS_KEY_ID}} + password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}} + replaces-base: true +``` + +{% endraw %} + +### `git` + +The `git` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% raw %} + +```yaml copy +registries: + github-octocat: + type: git + url: https://github.com + username: x-access-token + password: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} +``` + +{% endraw %} + +### `hex-organization` + +The `hex-organization` type supports organization and key. + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + github-hex-org: + type: hex-organization + organization: github + key: ${{secrets.MY_HEX_ORGANIZATION_KEY}} +``` + +{% endraw %} + +### `hex-repository` + +The `hex-repository` type supports an authentication key. + +`repo` is a required field, which must match the name of the repository used in your dependency declaration. + +The `public-key-fingerprint` is an optional configuration field, representing the fingerprint of the public key for the Hex repository. `public-key-fingerprint` is used by Hex to establish trust with the private repository. The `public-key-fingerprint` field can be either listed in plaintext or stored as a {% data variables.product.prodname_dependabot %} secret. + +{% raw %} + +```yaml copy +registries: + github-hex-repository: + type: hex-repository + repo: private-repo + url: https://private-repo.example.com + auth-key: ${{secrets.MY_AUTH_KEY}} + public-key-fingerprint: ${{secrets.MY_PUBLIC_KEY_FINGERPRINT}} +``` + +{% endraw %} + +### `maven-repository` + +The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + maven-artifactory: + type: maven-repository + url: https://acme.jfrog.io/artifactory/my-maven-registry + username: octocat + password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} +``` + +{% endraw %} + +### `npm-registry` + +The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. + +> [!NOTE] +> When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path. + +{% raw %} + +```yaml copy +registries: + npm-npmjs: + type: npm-registry + url: https://registry.npmjs.org + username: octocat + password: ${{secrets.MY_NPM_PASSWORD}} # Must be an unencoded password + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + npm-github: + type: npm-registry + url: https://npm.pkg.github.com + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation. + +### `nuget-feed` + +The `nuget-feed` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% raw %} + +```yaml copy +registries: + nuget-example: + type: nuget-feed + url: https://nuget.example.com/v3/index.json + username: octocat@example.com + password: ${{secrets.MY_NUGET_PASSWORD}} +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + nuget-azure-devops: + type: nuget-feed + url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json + username: octocat@example.com + password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} +``` + +{% endraw %} + +{% ifversion dependabot-updates-pub-private-registry %} + +### `pub-repository` + +The `pub-repository` type supports a URL and a token. + +{% raw %} + +```yaml copy +registries: + my-pub-registry: + type: pub-repository + url: https://example-private-pub-repo.dev/optional-path + token: ${{secrets.MY_PUB_TOKEN}} +updates: + - package-ecosystem: "pub" + directory: "/" + schedule: + interval: "weekly" + registries: + - my-pub-registry +``` + +{% endraw %} + +{% endif %} + +### `python-index` + +The `python-index` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + python-example: + type: python-index + url: https://example.com/_packaging/my-feed/pypi/example + username: octocat + password: ${{secrets.MY_BASIC_AUTH_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + python-azure: + type: python-index + url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example + username: octocat@example.com + password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +### `rubygems-server` + +The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + ruby-example: + type: rubygems-server + url: https://rubygems.example.com + username: octocat@example.com + password: ${{secrets.MY_RUBYGEMS_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + ruby-github: + type: rubygems-server + url: https://rubygems.pkg.github.com/octocat/github_api + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +### `terraform-registry` + +The `terraform-registry` type supports a token. + +{% raw %} + +```yaml copy +registries: + terraform-example: + type: terraform-registry + url: https://terraform.example.com + token: ${{secrets.MY_TERRAFORM_API_TOKEN}} +``` + +{% endraw %} diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md new file mode 100644 index 000000000000..e97299cc047a --- /dev/null +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -0,0 +1,695 @@ +--- +title: Dependabot options reference +intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.' +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +allowTitleToDifferFromFilename: true +redirect_from: + - /github/administering-a-repository/configuration-options-for-dependency-updates + - /code-security/supply-chain-security/configuration-options-for-dependency-updates + - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates + - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: reference +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependabot options reference +--- + +## About the `dependabot.yml` file + +The `dependabot.yml` file defines how {% data variables.product.prodname_dependabot %} maintains dependencies using version updates. In addition, all options marked with a {% octicon "shield-check" aria-label="Security updates" height="16" %} icon also change how {% data variables.product.prodname_dependabot %} creates pull requests for security updates, except where `target-branch` is used. + +The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). + +You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). + +> [!NOTE] +> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). + +### Required keys + +| Key | Location | Purpose | +|--|--|--| +| `version` | Top level| {% data variables.product.prodname_dependabot %} configuration syntax to use. Always: `2`.| +| `updates` | Top level| Section where you define each `package-ecosystem` to update.| +| [`package-ecosystem`](#package-ecosystem-) | Under `updates` | Define a package manager to update. | +| {% ifversion dependabot-updates-multidirectory-support %}[`directories` or `directory`](#directories-or-directory--){% else %}[`directory`](#directory--){% endif %} | Under each `package-ecosystem` entry | Define the location of the manifest or other definition files to update. | +| [`schedule.interval`](#schedule-) | Under each `package-ecosystem` entry | Define whether to look for version updates: `daily`, `weekly`, or `monthly`. | + +Optionally, you can also include a top-level `registries` key to define access details for private registries, see [Top-level `registries` key](#top-level-registries-key). + +```yaml copy + +# Basic `dependabot.yml` file with +# minimum configuration for two package managers + +version: 2 +updates: + # Enable version updates for npm + - package-ecosystem: "npm" + # Look for `package.json` and `lock` files in the `root` directory + directory: "/" + # Check the npm registry for updates every day (weekdays) + schedule: + interval: "daily" + + # Enable version updates for Docker + - package-ecosystem: "docker" + # Look for a `Dockerfile` in the `root` directory + directory: "/" + # Check for updates once a week + schedule: + interval: "weekly" +``` + +For a real-world example of a `dependabot.yml` file, see [{% data variables.product.prodname_dependabot %}'s own configuration file](https://github.com/dependabot/dependabot-core/blob/main/.github/dependabot.yml). + +## `allow` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Use to define exactly which dependencies to maintain for a package ecosystem. Often used with the [`ignore`](#ignore--) option. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% octicon "versions" aria-hidden="true" %} All dependencies explicitly defined in a manifest are kept up to date by version updates. +* {% octicon "shield-check" aria-hidden="true" %} All dependencies defined in lock files with vulnerable dependencies are updated by security updates. + +When `allow` is specified {% data variables.product.prodname_dependabot %} uses the following process: + +1. Check for all explicitly **allowed** dependencies. +1. Then filter out any **ignored** dependencies or versions. + + If a dependency is matched by an `allow` and an `ignore` statement, then it is **ignored**. + +| Parameters | Purpose | +|------------|---------| +| `dependency-name` | Allow updates for dependencies with matching names, optionally using `*` to match zero or more characters. | +| `dependency-type` | Allow updates for dependencies of specific types. | + +### `dependency-name` (`allow`) + +For most package managers, you should define a value that will match the dependency name specified in the lock or manifest file. A few systems have more complex requirements. + +| Package manager | Format required | Example | +|-----------------|-----------------|---------| +| Gradle and Maven | `groupId:artifactId` | `org.kohsuke:github-api` | +| Docker for image tags |The full name of the repository | For an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`.| + +### `dependency-type` (`allow`) + +| Dependency types | Supported by package managers | Allow updates | +|------------------|-------------------------------|--------| +| `direct` | All | All explicitly defined dependencies. | +| `indirect` | `bundler`, `pip`, `composer`, `cargo`, `gomod` | Dependencies of direct dependencies (also known as sub-dependencies, or transient dependencies).| +| `all` | All | All explicitly defined dependencies. For `bundler`, `pip`, `composer`, `cargo`, `gomod`, also the dependencies of direct dependencies.| +| `production` | `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only to dependencies defined by the package manager as production dependencies. | +| `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only to dependencies defined by the package manager as development dependencies. | + +## `assignees` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify individual assignees for all pull requests raised for a package ecosystem. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Pull requests are created without any assignees. + +When `assignees` is defined: + +* {% octicon "versions" aria-hidden="true" %} All pull requests for version updates are created with the chosen assignees. +* {% octicon "shield-check" aria-hidden="true" %} All pull requests for security updates are created with the chosen assignees, unless `target-branch` defines updates to a non-default branch. + +Assignees must have write access to the repository. For organization-owned repositories, organization members with read access are also valid assignees. + +## `commit-message` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Define the format for commit messages. Since the titles of pull requests are written based on commit messages, this setting also impacts the titles of pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Commit messages follow similar patterns to those detected in the repository. + +When `commit-message` is defined: + +* {% octicon "versions" aria-hidden="true" %} All commit messages follow the defined pattern. +* {% octicon "shield-check" aria-hidden="true" %} All commit messages follow the defined pattern, unless `target-branch` defines updates to a non-default branch. + +| Parameters | Purpose | +|------------|---------| +| `prefix` | Defines a prefix for all commit messages and pull request titles. | +| `prefix-development` | On supported systems, defines a different prefix to use for commits that update dependencies in the Development dependency group. | +| `include` | Follow the commit message prefix with additional information. | + +{% ifversion dependabot-version-updates-groups %} + +> [!TIP] +> When pull requests are raised for grouped updates, the branch name and pull request title are defined by the group `IDENTIFIER`, see {% ifversion dependabot-grouped-security-updates-config %}[`groups`](#groups--){% else %}[`groups`](#groups-){% endif %}. + +{% endif %} + +### `prefix` + +* Used for all commit messages unless `prefix-development` is also defined. +* Value can be up to 50 characters. +* {% data variables.product.prodname_dependabot %} inserts a colon after the prefix before adding the main commit message when the value ends with a letter, number, closing parenthesis, or closing bracket. +* End the value with a whitespace character to stop a colon being added. + +### `prefix-development` + +Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. + +* Used only for commit messages that update dependencies in the Development dependency group. +* Otherwise, the parameter behaves exactly as the `prefix` parameter. + +### `include` + +* Supports only the value `scope` +* When defined any prefix is followed by the type of dependencies updated in the commit: `deps` or `deps-dev`. + +## {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see {% ifversion dependabot-updates-multidirectory-support %}[Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files){% else %}[Example dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file){% endif %}. + +{% ifversion dependabot-updates-multidirectory-support %} +* Use `directory` to define a single directory of manifests. +* Use `directories` to define a list of multiple directories of manifests. +* Define directories relative to the root of the repository for most package managers.{% else %} +* Define the directory relative to the root of the repository for most package managers.{% endif %} +* For {% data variables.product.prodname_actions %}, use the value `/`. {% data variables.product.prodname_dependabot %} will search the `/.github/workflows` directory, as well as the `action.yml/action.yaml` file from the root directory. + +If you need to use more than one block in the configuration file to define updates for a single target branch of an ecosystem, you must ensure that all values are unique and there is no overlap in directories defined. + +{% ifversion dependabot-updates-multidirectory-support %} + +> [!NOTE] +> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key. + +{% endif %} + +## `enable-beta-ecosystems` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Not currently in use. + +{% ifversion dependabot-version-updates-groups %} + +## `groups` {% ifversion dependabot-grouped-security-updates-config %}{% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}{% else %}{% octicon "versions" aria-label="Version updates only" height="24" %}{% endif %} + +Define rules to create one or more sets of dependencies managed by a package manager, to group updates into fewer, targeted pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Open a single pull request for each dependency that needs to be updated to a newer version for version updates{% ifversion dependabot-grouped-security-updates-config %} and for security updates{% endif %}. + +When `groups` is used to define rules: + +* All {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates for dependencies that match a rule are combined in a single pull request. +* If a dependency matches more than one rule, it's included in the first group that it matches. +* Any outdated dependencies that do not match a rule are updated in individual pull requests. + +Parameters | Purpose | +-------|-------------| +| `IDENTIFIER` | Define an identifier for the group to use in branch names and pull request titles. This must start and end with a letter, and can contain letters, pipes `\|`, underscores `_`, or hyphens `-`. | +| {% ifversion dependabot-grouped-security-updates-config %} | +| `applies-to` | Specify which type of update the group applies to. When undefined, defaults to version updates. Supported values: `version-updates` or `security-updates`. | +| {% endif %} | +| `dependency-type` | Limit the group to a type. Supported values: `development` or `production`. | +| `patterns` | Define one or more patterns to include dependencies with matching names. | +| `exclude-patterns` | Define one or more patterns to exclude dependencies from the group. | +| `update-types` | Limit the group to one or more semantic versioning levels. Supported values: `minor`, `patch`, and `major`. | + +### `dependency-type` (`groups`) + +Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. + +By default, a group will include all types of dependencies. + +* Use `development` to include only dependencies in the "Development dependency group". +* Use `production` to include only dependencies in the "Production dependency group". + +### `patterns` and `exclude-patterns` (`groups`) + +Both options support using `*` as a wild card to define matches with dependency names. + +### `update-types` (`groups`) + +By default, a group will include updates for all semantic versions (SemVer). SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. Dependabot assumes that versions in this form are always `major.minor.patch`. + +* Use `patch` to include patch releases. +* Use `minor` to include minor releases. +* Use `major` to include major releases. + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#specifying-the-semantic-versioning-level-to-ignore). + +{% endif %} + +## `ignore` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Use with the [`allow`](#allow--) option to define exactly which dependencies to maintain for a package ecosystem. {% data variables.product.prodname_dependabot %} checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% octicon "versions" aria-hidden="true" %} All dependencies explicitly defined in a manifest are kept up to date by version updates. +* {% octicon "shield-check" aria-hidden="true" %} All dependencies defined in lock files with vulnerable dependencies are updated by security updates. + +When `ignore` is used {% data variables.product.prodname_dependabot %} uses the following process: + +1. Check for all explicitly **allowed** dependencies. +1. Then filter out any **ignored** dependencies or versions. + + If a dependency is matched by an `allow` and an `ignore` statement, then it is **ignored**. + +| Parameters | Purpose | +|------------|---------| +| `dependency-name` | Ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters. | +| `versions` | Ignore specific versions or ranges of versions. | +| `update-types` | Ignore updates to one or more semantic versioning levels. Supported values: `sem-ver:minor`, `sem-ver:patch`, and `sem-ver:major`. | + +### `dependency-name` (`ignore`) + +For most package managers, you should define a value that will match the dependency name specified in the lock or manifest file. A few systems have more complex requirements. + +| Package manager | Format required | Example | +|-----------------|-----------------|---------| +| Gradle and Maven | `groupId:artifactId` | `org.kohsuke:github-api` | +| Docker for image tags |The full name of the repository | For an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`.| + +### `versions` (`ignore`) + +Use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager. For example: + +* npm: use `^1.0.0` +* Bundler: use `~> 2.0` +* Docker: use Ruby version syntax +* NuGet: use `7.*` + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-versions-or-ranges-of-versions). + +### `update-types` (`ignore`) + +Specify which semantic versions (SemVer) to ignore. SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. {% data variables.product.prodname_dependabot %} assumes that versions in this form are always `major.minor.patch`. + +* Use `patch` to include patch releases. +* Use `minor` to include minor releases. +* Use `major` to include major releases. + +## `insecure-external-code-execution` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler`, `mix`, and `pip`. + +Allow {% data variables.product.prodname_dependabot %} to execute external code in the manifest during updates. For examples, see [Allowing external code execution](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#allowing-external-code-execution). + +{% data variables.product.prodname_dependabot %} default behavior: + +* When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. +* Version updates may fail without the ability to execute code. + +When you allow `insecure-external-code-execution`: + +* {% data variables.product.prodname_dependabot %} will execute code in the manifest as part of the version update process. +* The code has access to only the package managers in the registries associated with that `updates`setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. +* This should enable the update to succeed but also could allow a compromised package to steal credentials or gain access to configured registries. + +Supported value: `allow`. + +## `labels` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify your own labels for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* All pull requests have a `dependencies` label. +* If you define more than one package manager, an additional label for the ecosystem or language is added to each pull request. For example: `java` for Gradle updates and `submodules` for git submodule updates. +* {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. + +When `labels` is defined: + +* The labels specified are used instead of the default labels. +* If any of these labels is not defined in the repository, it is ignored. +* You can disable all labels, including the default labels, using `labels: [ ]`. + +{% data reusables.dependabot.option-affects-security-updates %} + +## `milestone` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Associate all pull requests raised for a package manager with a milestone. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* No milestones are used. + +When `milestone` is defined: + +* All pull requests for the package manager are added to the milestone. + +Supported value: the numeric identifier of a milestone. + +>[!TIP] +>If you view a milestone, the final part of the page URL, after `milestone`, is the identifier. For example: `https://github.com///milestone/3`, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/viewing-your-milestones-progress). + +## `open-pull-requests-limit` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Change the limit on the maximum number of pull requests for version updates open at any time. + +{% data variables.product.prodname_dependabot %} default behavior: + +* If five pull requests with version updates are open, no further pull requests are raised until some of those open requests are merged or closed. +* Security updates have a separate, internal limit of ten open pull requests which cannot be changed. + +When `open-pull-requests-limit` is defined: + +* {% data variables.product.prodname_dependabot %} opens pull requests up to the defined integer value. +* You can temporarily disable version updates for a package manager by setting this option to zero, see [Disabling {% data variables.product.prodname_dependabot_version_updates %}](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#disabling-dependabot-version-updates). + +## `package-ecosystem` {% octicon "versions" aria-label="Version updates only" height="24" %} + +**Required option.** Define one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each package manager, see [Example `dependabot.yml` file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file). + +Package manager | YAML value | Supported versions | +---------------|------------------|:------------------:| +| Bundler | `bundler` | {% ifversion ghes < 3.15 %}v1, {% endif %}v2 | +| Cargo | `cargo` | v1 | +| Composer | `composer` | {% ifversion dependabot-updates-composerv1-closing-down %}v2{% else %}v1, v2{% endif %} | +| {% ifversion dependabot-version-updates-devcontainer-support %} | +| Dev containers | `devcontainers` | Not applicable | +| {% endif %} | +| Docker | `docker` | v1 | +| {% ifversion dependabot-dotnet-sdk %} | +| .NET SDK | `dotnet-sdk` | >=.NET Core 3.1 | +| {% endif %} | +| Hex | `mix` | v1 | +| elm-package | `elm` | v0.19 | +| git submodule | `gitsubmodule` | Not applicable | +| {% data variables.product.prodname_actions %} | `github-actions` | Not applicable | +| Go modules | `gomod` | v1 | +| Gradle | `gradle` | Not applicable | +| Maven | `maven` | Not applicable | +| npm | `npm` | v6, v7, v8, v9 | +| NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% elsif ghes = 3.14 or ghes = 3.13 %}<= 6.8.0{% elsif ghes = 3.12 %}<= 6.7.0{% else %}<= 4.8{% endif %} | +| pip| `pip` | v21.1.2 | +| pip-compile | `pip` | 6.1.0 | +| pipenv | `pip` | <= 2021-05-29 | +| pnpm | `npm` | v7, v8
v9 (version updates only) | +| poetry | `pip` | v1 | +| pub | `pub` | v2 | +| {% ifversion dependabot-updates-swift-support %} | +| Swift | `swift` | v5 | +| {% endif %} | +| Terraform | `terraform` | >= 0.13, <= 1.8.x | +| yarn | `npm` | v1, v2, v3 | + +## `pull-request-branch-name.separator` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify a separator to use when generating branch names. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Generate branch names of the form: `dependabot/PACKAGE_MANAGER/DEPENDENCY` + +When `pull-request-branch-name.separator` is defined: + +* Use the specified character in place of `/`. + +Supported values: `"-"`, `_`, `/` + +> [!TIP] +> The hyphen symbol must be escaped so it is not interpreted as starting an empty YAML list. + +## `rebase-strategy` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Disable automatic rebasing of pull requests raised by {% data variables.product.prodname_dependabot %}. + +{% data variables.product.prodname_dependabot %} default behavior is to rebase open pull requests when {% data variables.product.prodname_dependabot %} detects any changes to a version or security update pull request. {% data variables.product.prodname_dependabot %} checks for changes when: + +* Your schedule runs to check for version updates. +* You reopen a closed {% data variables.product.prodname_dependabot %} pull request. +* You change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file, see [`target-branch`](#target-branch-). +* A {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. + +When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. + +> [!NOTE] +> Pull requests that were open **before** you disable rebasing will continue to be rebased until 30 days after they were opened. This affects all pull requests that have conflicts with the target branch and all pull requests for version updates. + +## `registries` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Configure access to private package registries to allow {% data variables.product.prodname_dependabot %} to update a wider range of dependencies, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). + +There are 2 locations in the `dependabot.yml` file where you can use the `registries` key: + +1. At the top level, where you define the private registries you want to use and their access information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). +1. Within the `updates` blocks, where you can specify which private registries each package manager should use. + +{% data variables.product.prodname_dependabot %} default behavior is to raise pull requests only to update dependencies stored in publicly accessible registries. + +When the {% data variables.product.prodname_dependabot %} configuration file has a top-level `registries` section, defining access to one or more private registries, you can configure each `package-ecosystem` to use one or more of these private registries. + +When `registries` is defined for a package manager: + +* Each private registry specified for a package manager is checked for version and security updates. +* {% data variables.product.prodname_dependabot %} uses the access details defined in the top-level `registries` section. + +Supported values: `REGISTRY_NAME` or `"*"` + +## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Pull requests are created without any reviewers assigned. + +When `reviewers` is defined: + +* {% octicon "versions" aria-hidden="true" %} All pull requests for version updates are created with the chosen reviewers. +* {% octicon "shield-check" aria-hidden="true" %} All pull requests for security updates are created with the chosen reviewers, unless `target-branch` defines updates to a non-default branch. + +Reviewers must have at least read access to the repository. + +## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %} + +**Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. {% ifversion dependabot-version-updates-groups %}For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} + +| Parameters | Purpose | +|------------|---------| +| `interval` | **Required.** Defines the frequency for {% data variables.product.prodname_dependabot %}. | +| `day` | Specify the day to run for a **weekly** interval. | +| `time` | Specify the time to run. | +| `timezone` | Specify the timezone of the `time` value. | + +### `interval` + +Supported values: `daily`, `weekly`, or `monthly` + +Each package manager **must** define a schedule interval. + +* Use `daily` to run on every weekday, Monday to Friday. +* Use `weekly` to run once a week, by default on Monday. +* Use `monthly` to run on the first day of each month. + +By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. You can use the `time` and `timezone` parameters to set a specific runtime for all intervals. + +### `day` + +Supported values: `monday`, `tuesday`, `wednesday`, `thursday`, `friday`, `saturday`, or `sunday` + +Optionally, run **weekly** updates for a package manager on a specific day of the week. + +### `time` + +Format: `hh:mm` + +Optionally, run all updates for a package manager at a specific time of day. By default, times are interpreted as UTC. + +### `timezone` + +Specify a time zone for the `time` value. + +The time zone identifier must match a timezone in the database maintained by [iana](https://www.iana.org/time-zones), see [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). + +## `target-branch` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Define a specific branch to check for version updates and to target pull requests for version updates against. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% data variables.product.prodname_dependabot %} uses the default branch for the repository, see [About the default branch](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch). + +When `target-branch` is defined: + +* Only manifest files on the target branch are checked for version updates. +* All pull requests for version updates are opened targetting the specified branch. +* Options defined for this `package-ecosystem` no longer apply to security updates because security updates always use the default branch for the repository. + +## `vendor` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler` and `gomod` only. + +Tell {% data variables.product.prodname_dependabot %} to maintain your vendored dependencies as well as the dependencies defined by manifest files. A dependency is described as "vendored" or "cached" when you store the code within your repository, see [`bundle cache` documentation](https://bundler.io/man/bundle-cache.1.html) and [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor). + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#updating-vendored-dependencies). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Maintain only dependencies recorded in the manifest and lock files identified for Bundler. +* Raise security and version update pull requests that update the version numbers recorded in the manifest and lock files. +* For Go modules, any vendored dependencies are automatically identified and maintained as if `vendor` was enabled. + +When `vendor` is enabled: + +* {% data variables.product.prodname_dependabot %} also maintains dependencies for Bundler that are stored in the `_vendor/cache_` directory in the repository. +* Pull requests will sometimes contain updates to a dependency that is stored in the repository. + +Supported values: `true` or `false` + +## `versioning-strategy` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler`, `cargo`, `composer`, `mix`, `npm`, `pip`, `pub` + +Define how {% data variables.product.prodname_dependabot %} should edit manifest files. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-a-versioning-strategy). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Try to differentiate between app and library dependencies. +* For apps, always increase the minimum version requirement to match the new version. The `increase` strategy. +* For libraries, widen the allowed version requirements to include both the new and old versions, when possible. The `widen` strategy. + +When `versioning-strategy` is defined, {% data variables.product.prodname_dependabot %} uses the strategy specified. + +| Value | Behavior | +|--------|--------| +| `auto` | Default behavior.| +| `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | +| `increase-if-necessary` | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint. | +| `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | +| `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. | + +For example, if the current version is `1.0.0` and the current constraint is `^1.0.0` the different strategies would raise the following updates: + +New version `1.2.0` + +* `increase`: new constraint `^1.2.0` +* `increase-if-necessary`: new constraint `^1.0.0` +* `widen`: new constraint `^1.0.0` + +New version `2.0.0` + +* `increase`: new constraint `^2.0.0` +* `increase-if-necessary`: new constraint `^2.0.0 ` +* `widen`: new constraint `>=1.0.0 <3.0.0` + +> [!NOTE] +> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/. + +{% ifversion dependabot-updates-supported-versioning-tags %} + +### Versioning tags + +* Represent stages in the software release lifecycle, such as alpha, beta, and stable versions. +* Allow publishers to distribute their packages more effectively. +* Indicate the stability of a version and communicate what users should expect in terms of features and stability. + +{% data reusables.dependabot.dependabot-updates-supported-versioning-tags %} + +#### Versioning tag glossary + +* **`alpha`:** Early version, may be unstable and have incomplete features. +* **`beta`:** More stable than alpha but may still have bugs. +* **`canary`:** Regularly updated pre-release version for testing. +* **`dev`:** Represents development versions. +* **`experimental`:** Versions with experimental features. +* **`latest`:** The latest stable release. +* **`legacy`:** Older or deprecated versions. +* **`next`:** Upcoming release version. +* **`nightly`:** Versions built nightly; often includes the latest changes. +* **`rc`:** Release candidate, close to stable release. +* **`release`:** The official release version. +* **`stable`:** The most reliable, production-ready version. + +{% endif %} + +## Top-level `registries` key + +Specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries, including registries hosted by GitLab or Bitbucket. + +{% ifversion ghes %} + +> [!NOTE] +> Private registries behind firewalls on private networks are supported for the following ecosystems: +> +> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %} +> * Cargo{% endif %} +> * Docker +> * Gradle +> * Maven +> * Npm +> * NuGet{% ifversion dependabot-updates-pub-private-registry %} +> * Pub{% endif %} +> * Python +> * Yarn + +{% endif %} + +The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file. + +{% raw %} + +```yaml copy +# Minimal settings to update dependencies stored in one private registry + +version: 2 +registries: + dockerhub: # Define access for a private registry + type: docker-registry + url: registry.hub.docker.com + username: octocat + password: ${{secrets.DOCKERHUB_PASSWORD}} +updates: + - package-ecosystem: "docker" + directory: "/docker-registry/dockerhub" + registries: + - dockerhub # Allow version updates for dependencies in this registry + schedule: + interval: "monthly" +``` + +{% endraw %} + +{% data reusables.dependabot.dependabot-updates-registries-options %} + +{% data reusables.dependabot.advanced-private-registry-config-link %} + +### `type` and authentication details + +The parameters used to provide authentication details for access to a private registry vary according to the registry `type`. + +| Registry `type` | Required authentication parameters | +|--|--| +| {% ifversion dependabot-updates-cargo-private-registry-support %} | +| `cargo-registry` | `token` | +| {% endif %} | +| `composer-repository` | `username` and `password` | +| `docker-registry` | `username` and `password` | +| `git` | `username` and `password` | +| `hex-organization` | `organization` and `key` | +| `hex-repository` | `repo` and `auth-key` optionally with the corresponding `public-key-fingerprint` | +| `maven-repository` | `username` and `password` | +| `npm-registry` | `username` and `password`
or `token` | +| `nuget-feed` | `username` and `password`
or `token` | +| `pub-registry` | `token` | +| `python-index` | `username` and `password`
or `token` | +| `rubygems-server` | `username` and `password`
or `token` | +| `terraform-registry` | `token` | + +All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). + +> [!TIP] +> {% data reusables.dependabot.password-definition %} + +### `url` and `replaces-base` + +The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem. diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index 4307c496ee0c..1a32f7edd28e 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -56,13 +56,13 @@ You'll also find recommendations for the setup of the following registry hosts: Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). +You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#rubygems-server). Snippet of a `dependabot.yml` file using a username and password. {% raw %} -```yaml +```yaml copy registries: ruby-example: type: rubygems-server @@ -77,7 +77,7 @@ The snippet of `dependabot.yml` file below uses a token. {% data reusables.depen {% raw %} -```yaml +```yaml copy registries: ruby-github: type: rubygems-server @@ -95,7 +95,7 @@ registries: ### Cargo -Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cargo-registry). +Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#cargo-registry). The snippet below shows a `dependabot.yml` file configuration that uses a token. @@ -105,13 +105,13 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token. ### Docker -Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). +Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). Snippet of `dependabot.yml` file using a username and password. {% raw %} -```yaml +```yaml copy registries: dockerhub: type: docker-registry @@ -126,7 +126,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: ecr-docker: type: docker-registry @@ -149,18 +149,20 @@ registries: * Dockerfiles may only receive a version update to the first `FROM` directive. * Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository. * {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository. +* Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository. +* {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository. ### Gradle -{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle). +{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#gradle). -Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} {% raw %} -```yaml +```yaml copy registries: gradle-artifactory: type: maven-repository @@ -184,11 +186,11 @@ updates: ### Maven -Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). {% raw %} -```yaml +```yaml copy registries: maven-artifactory: type: maven-repository @@ -203,7 +205,7 @@ registries: {% raw %} -```yaml +```yaml copy version: 2 registries: maven-github: @@ -232,13 +234,13 @@ You can define the configuration in the `dependabot.yml` file using the `npm-reg #### Using the `npm-registry` type in the configuration file -You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). The snippet of a `dependabot.yml` file below uses a token. {% data reusables.dependabot.token-is-github-pat %} {% raw %} -```yaml +```yaml copy registries: npm-github: type: npm-registry @@ -313,7 +315,7 @@ If you use a monorepo, the `.npmrc` file should live in the project's root direc You can configure {% data variables.product.prodname_dependabot %} to send all registry requests through a specified base URL. In order for {% data variables.product.prodname_dependabot %} to access a public dependency, the registry must either have a cloned copy of the dependency with the requested version, or allow traffic to fetch from a public registry if the dependency is not available. -If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). #### Notes @@ -327,11 +329,11 @@ Registries should be configured using the `https` protocol. Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). +The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#nuget-feed). {% raw %} -```yaml +```yaml copy registries: nuget-example: type: nuget-feed @@ -344,7 +346,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -361,7 +363,7 @@ You can also use a token in your `dependabot.yml` file. {% data reusables.depend {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -375,11 +377,11 @@ registries: ### pub -You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pub-repository). +You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#pub-repository). {% raw %} -```yaml +```yaml copy registries: my-pub-registry: type: pub-repository @@ -410,11 +412,11 @@ pub supports URL and token authentication. The URL used for the registry should Supported by Artifactory, Azure Artifacts, Cloudsmith, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported. -The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). {% raw %} -```yaml +```yaml copy registries: python-example: type: python-index @@ -427,7 +429,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: python-azure: type: python-index @@ -439,7 +441,7 @@ registries: {% endraw %} {% raw %} -```yaml +```yaml copy registries: python-gemfury: type: python-index @@ -457,11 +459,11 @@ registries: ### Yarn -The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). {% raw %} -```yaml +```yaml copy registries: yarn-github: type: npm-registry @@ -481,7 +483,7 @@ You can either specify the private registry configuration in the `dependabot.yml ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +You can define the private registry configuration in your `dependabot.yml` file. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). To ensure that the private registry is listed as the dependency source in the project's `yarn.lock` file, you need to run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -518,7 +520,7 @@ As with Yarn Classic, you can either specify the private registry configuration ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +You can define the private registry configuration in your `dependabot.yml` file. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -609,7 +611,7 @@ Example of Azure Artifacts registry: {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -642,7 +644,7 @@ For information about {% data variables.product.prodname_registry %} registries, {% raw %} -```yaml +```yaml copy registries: github: type: npm-registry @@ -670,7 +672,7 @@ Example of Nexus registry: {% raw %} -```yaml +```yaml copy registries: npm-nexus: type: npm-registry @@ -690,7 +692,7 @@ If you are restricting which IPs can reach your Nexus host, you need to add the * "3.217.93.44/32" For more information, see [Securing Nexus Repository Manager](https://help.sonatype.com/repomanager3/planning-your-implementation/securing-nexus-repository-manager) in the Sonatype documentation. - Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). + Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). ### ProGet @@ -700,7 +702,7 @@ Example of ProGet registry configuration for a NuGet feed: {% raw %} -```yaml +```yaml copy registries: proget-nuget-feed: type: nuget-feed @@ -714,7 +716,7 @@ Example of ProGet registry configuration for Bundler (rubygems): {% raw %} -```yaml +```yaml copy registries: proget-gems-feed: type: rubygems-server @@ -728,7 +730,7 @@ Example of ProGet registry configuration for Python (PyPI): {% raw %} -```yaml +```yaml copy registries: proget-python-feed: type: python-index diff --git a/content/code-security/dependabot/working-with-dependabot/index.md b/content/code-security/dependabot/working-with-dependabot/index.md index d17916c3392e..168fdf6dfd63 100644 --- a/content/code-security/dependabot/working-with-dependabot/index.md +++ b/content/code-security/dependabot/working-with-dependabot/index.md @@ -16,14 +16,9 @@ topics: children: - /managing-pull-requests-for-dependency-updates - /about-dependabot-on-github-actions-runners - - /managing-dependabot-on-self-hosted-runners - /automating-dependabot-with-github-actions - /keeping-your-actions-up-to-date-with-dependabot - /configuring-access-to-private-registries-for-dependabot - /guidance-for-the-configuration-of-private-registries-for-dependabot - - /removing-dependabot-access-to-public-registries - - /viewing-dependabot-job-logs - - /troubleshooting-the-detection-of-vulnerable-dependencies - - /troubleshooting-dependabot-errors - - /troubleshooting-dependabot-on-github-actions + - /dependabot-options-reference --- diff --git a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md index ee2fcfd2610e..ee3124491815 100644 --- a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md @@ -55,7 +55,7 @@ You can also enable {% data variables.product.prodname_dependabot_version_update The example `dependabot.yml` file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"weekly"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot %} will continue to check for outdated versions of actions once a week. -```yaml +```yaml copy # Set update schedule for GitHub Actions version: 2 @@ -70,7 +70,7 @@ updates: ## Configuring {% data variables.product.prodname_dependabot_version_updates %} for actions -When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). ## Further reading diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index c13f079b85a3..5ff9828d0b76 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -30,7 +30,7 @@ shortTitle: Manage Dependabot PRs When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. {% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% endif %} -If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %} +If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %} > [!NOTE] > If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates). @@ -45,7 +45,7 @@ If you have many dependencies to manage, you may want to customize the configura ## Changing the rebase strategy for {% data variables.product.prodname_dependabot %} pull requests -By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy). +By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#rebase-strategy). ## Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits @@ -74,7 +74,7 @@ You can use any of the following commands on a {% data variables.product.prodnam If you run any of the commands for ignoring dependencies or versions, {% data variables.product.prodname_dependabot %} stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore). {% ifversion dependabot-grouped-security-updates-config %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md deleted file mode 100644 index 20f6ac748896..000000000000 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Troubleshooting Dependabot on GitHub Actions -intro: 'This article provides troubleshooting information for issues you may encounter when using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.' -versions: - fpt: '*' - ghec: '*' -type: how_to -topics: - - Actions - - Dependabot - - Version updates - - Security updates - - Repositories - - Dependencies - - Pull requests -shortTitle: Troubleshoot Dependabot on Actions ---- - -## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows - -{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). diff --git a/content/code-security/getting-started/dependabot-quickstart-guide.md b/content/code-security/getting-started/dependabot-quickstart-guide.md index 8eb370496c22..38980312f5c9 100644 --- a/content/code-security/getting-started/dependabot-quickstart-guide.md +++ b/content/code-security/getting-started/dependabot-quickstart-guide.md @@ -108,7 +108,7 @@ You can fix or dismiss {% data variables.product.prodname_dependabot_alerts %} o * Go back to the alert details page. * On the top-right corner, click **Dismiss alert**. - ![Screenshot of the alert details page with the **Dismiss alert** button, dropdown menu options, and dismissal comment box highlighted with a dark orange outline.](/assets/images/help/repository/dismiss-alert-demo-repo.png) + ![Screenshot of the alert details page with the **Dismiss alert** button, dropdown menu options, and dismissal comment box outlined in orange.](/assets/images/help/repository/dismiss-alert-demo-repo.png) * Select a reason for dismissing the alert. * Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. @@ -122,7 +122,7 @@ You may need to do some troubleshooting if: * {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix an alert, or * The information reported by {% data variables.product.prodname_dependabot %} is not what you expect. -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies), respectively. +For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors) and [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies), respectively. ## Next steps diff --git a/content/code-security/index.md b/content/code-security/index.md index c18e6d121aac..7484549c0087 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -11,20 +11,20 @@ featuredLinks: startHere: - /code-security/getting-started/quickstart-for-securing-your-repository - '{% ifversion fpt or ghec %}/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory{% endif %}' - - '/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning' + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning guideCards: - /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates - /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - - '/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning' + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning - /code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview popular: - '{% ifversion ghes %}/admin/release-notes{% endif %}' - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot - - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + - /code-security/dependabot/working-with-dependabot/dependabot-options-reference - /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot - - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + - /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies changelog: label: security-and-compliance versions: diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 6cfd8f06d673..3b47a9f10b09 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -43,7 +43,7 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see [ ### Grouping {% data variables.product.prodname_dependabot_security_updates %} -{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). +{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). {% ifversion dependabot-on-actions-opt-in %} diff --git a/content/code-security/securing-your-organization/index.md b/content/code-security/securing-your-organization/index.md index 2898e1144a94..07ddc6ed0295 100644 --- a/content/code-security/securing-your-organization/index.md +++ b/content/code-security/securing-your-organization/index.md @@ -1,9 +1,11 @@ --- title: Securing your organization shortTitle: Secure your organization -intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}.' +intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products{% ifversion security-configurations %} through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}{% endif %}.' versions: - feature: security-configurations + fpt: '*' + ghec: '*' + ghes: '*' topics: - Advanced Security - Organizations diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 4ae79f724d8f..e584a52ff3bf 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -77,4 +77,4 @@ You can use the dependency graph to: * [Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph) on Wikipedia * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md index c299bd56dfed..f908005681a5 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md @@ -63,4 +63,4 @@ When the dependency graph is first enabled, any manifest and lock files for supp {%- ifversion ghec %} * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){%- endif %} * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md index b68ad1de67ec..f2559e100ed6 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md @@ -67,5 +67,5 @@ Yes, the dependency graph has {% ifversion dependency-graph-repository-view-upda * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors) diff --git a/content/contributing/style-guide-and-content-model/style-guide.md b/content/contributing/style-guide-and-content-model/style-guide.md index 11a637691e51..93216c14306d 100644 --- a/content/contributing/style-guide-and-content-model/style-guide.md +++ b/content/contributing/style-guide-and-content-model/style-guide.md @@ -343,11 +343,11 @@ If an article has headers, the headers must start with an H2 level header. You c TEXT ### SUBHEADER (H3) - + TEXT #### SUBHEADER (H4) - + TEXT ``` @@ -365,15 +365,15 @@ Each header at the same level on a page must be unique. ```markdown ## Examples (H2) - + TEXT ### Prompts for writing code (H3) - + TEXT ### Prompts for writing tests (H3) - + TEXT ``` @@ -381,19 +381,19 @@ Each header at the same level on a page must be unique. ```markdown ## Prompts for writing code (H2) - + TEXT ### Example (H3) - + TEXT ## Prompts for writing tests (H2) - + TEXT ### Example (H3) - + TEXT ``` @@ -401,15 +401,15 @@ Each header at the same level on a page must be unique. ```markdown ## Example prompts (H2) - + TEXT ### Example (H3) - + TEXT ### Example (H3) - + TEXT ``` @@ -1380,7 +1380,7 @@ All columns in a table should be left-aligned, except for columns containing onl Table content is left-aligned by default. Use Markdown table formatting, colons (`:`) to either the right or left of the dashes in the header row, to specify the alignment of each column. Read [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/organizing-information-with-tables#formatting-content-within-your-table) for more information. -The following example shows part of a table from [AUTOTITLE](/free-pro-team@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +The following example shows part of a table from [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md index 79ee7a2a76aa..167f5fe79472 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md @@ -66,7 +66,7 @@ You can use security overview to find a set of repositories and enable or disabl 1. Review the information in the dialog box. 1. Optionally, if you are enabling private vulnerability reporting, dependency graph, or {% data variables.product.prodname_dependabot %}, select **Enable by default for new repositories**. - ![Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option highlighted with a dark orange outline.](/assets/images/help/organizations/security-and-analysis-enable-by-default-in-modal.png) + ![Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option outlined in orange.](/assets/images/help/organizations/security-and-analysis-enable-by-default-in-modal.png) 1. When you are ready to make the changes, click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization. 1. Optionally, in your feature's section of the security and analysis settings, select additional enablement settings. Additional enablement settings may include: @@ -92,7 +92,7 @@ You can use security overview to find a set of repositories and enable or disabl By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private{% ifversion ghec or ghes %} or internal{% endif %} repositories, or private{% ifversion ghec or ghes %} or internal{% endif %} package registries. However, if a dependency is in a private{% ifversion ghec or ghes %} or internal{% endif %} {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository. -If your code depends on packages in a private{% ifversion ghec or ghes %} or internal{% endif %} registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the `dependabot.yml` file for the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +If your code depends on packages in a private{% ifversion ghec or ghes %} or internal{% endif %} registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the `dependabot.yml` file for the repository. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). {% ifversion ghec %} @@ -112,7 +112,7 @@ To allow {% data variables.product.prodname_dependabot %} to access a private or 1. Go to the security and analysis settings for your organization. For more information, see [Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings). 1. Under "Grant {% data variables.product.prodname_dependabot %} private repository access", click **Add internal and private repositories** to display a repository search field. - ![Screenshot of the dropdown that you can use to search for repositories. As you type, repositories whose name matches your search criteria will appear in the list. The search text field is highlighted with a dark orange outline.](/assets/images/help/organizations/dependabot-private-repo-choose.png) + ![Screenshot of the search dropdown. As you type, repository names that match your search are shown. The search text field is outlined in orange.](/assets/images/help/organizations/dependabot-private-repo-choose.png) 1. Start typing the name of the repository you want to grant {% data variables.product.prodname_dependabot %} access to. 1. A list of matching repositories in the organization is displayed, click the repository you want to allow access to and this adds the repository to the allowed list. diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 3da10a960931..fbe340ca1d74 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -54,9 +54,9 @@ dependabot_alerts: - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors dependabot_security_updates: title: Get pull requests to update your vulnerable dependencies description: >- @@ -74,7 +74,7 @@ dependabot_security_updates: - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies dependency_version_updates: title: Keep your dependencies up-to-date description: >- @@ -86,25 +86,25 @@ dependency_version_updates: - >- /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - >- - /code-security/dependabot/dependabot-version-updates/customizing-dependency-updates + /code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs - >- - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + /code-security/dependabot/working-with-dependabot/dependabot-options-reference - >- /code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot - >- /code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions - >- - /code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates + /code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates - >- /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot - >- /code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot - >- - /code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries + /code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors secret_scanning: title: Scan for secrets description: >- diff --git a/data/release-notes/enterprise-server/3-11/0-rc1.yml b/data/release-notes/enterprise-server/3-11/0-rc1.yml index b379a86575ad..e62559525182 100644 --- a/data/release-notes/enterprise-server/3-11/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-11/0-rc1.yml @@ -119,7 +119,7 @@ sections: # https://github.com/github/releases/issues/3363 # https://github.com/github/releases/issues/3364 - | - To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). # https://github.com/github/releases/issues/3270 # https://github.com/github/releases/issues/3271 diff --git a/data/release-notes/enterprise-server/3-11/0.yml b/data/release-notes/enterprise-server/3-11/0.yml index 40f2a2feb851..9eb20e1c2e0c 100644 --- a/data/release-notes/enterprise-server/3-11/0.yml +++ b/data/release-notes/enterprise-server/3-11/0.yml @@ -113,7 +113,7 @@ sections: # https://github.com/github/releases/issues/3363 # https://github.com/github/releases/issues/3364 - | - To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). # https://github.com/github/releases/issues/3270 # https://github.com/github/releases/issues/3271 diff --git a/data/release-notes/enterprise-server/3-12/0-rc1.yml b/data/release-notes/enterprise-server/3-12/0-rc1.yml index b086b2c793cc..1f5ab03b78bf 100644 --- a/data/release-notes/enterprise-server/3-12/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-12/0-rc1.yml @@ -65,7 +65,8 @@ sections: notes: # https://github.com/github/releases/issues/3458 - | - To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). + To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). + # https://github.com/github/releases/issues/3091 - | Users can choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in repositories or organizations. Auto-triage rules provide control over whether an alert is ignored, is snoozed, or triggers a pull request for a security update. Users can also use a rule created by GitHub to automatically dismiss low-impact issues in npm dependencies. Auto-triage rules are in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). diff --git a/data/release-notes/enterprise-server/3-12/0.yml b/data/release-notes/enterprise-server/3-12/0.yml index df5b028767a9..f075f7afe759 100644 --- a/data/release-notes/enterprise-server/3-12/0.yml +++ b/data/release-notes/enterprise-server/3-12/0.yml @@ -68,7 +68,8 @@ sections: notes: # https://github.com/github/releases/issues/3458 - | - To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). + To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). + # https://github.com/github/releases/issues/3091 - | Users can choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in repositories or organizations. Auto-triage rules provide control over whether an alert is ignored, is snoozed, or triggers a pull request for a security update. Users can also use a rule created by GitHub to automatically dismiss low-impact issues in npm dependencies. Auto-triage rules are in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). diff --git a/data/release-notes/enterprise-server/3-14/0.yml b/data/release-notes/enterprise-server/3-14/0.yml index 1ac4db753bf3..1f83264a018e 100644 --- a/data/release-notes/enterprise-server/3-14/0.yml +++ b/data/release-notes/enterprise-server/3-14/0.yml @@ -108,7 +108,7 @@ sections: Dependabot uses private registry configurations specified in the `dependabot.yml` file as expected, even if there is a configuration with `target-branch`. This ensures that security updates are applied correctly, regardless of your repository's configuration settings. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). # https://github.com/github/releases/issues/4118 - | - In the `dependabot.yml` file, users can apply the same configuration to manifest files from multiple directories using the `directories` key. Direct strings, glob syntax, and wildcards (`*`) are all supported for targeting directories. See [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories). [Updated: 2024-10-07] + In the `dependabot.yml` file, users can apply the same configuration to manifest files from multiple directories using the `directories` key. Direct strings, glob syntax, and wildcards (`*`) are all supported for targeting directories. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories). [Updated: 2024-10-07] - heading: Code security notes: diff --git a/data/reusables/actions/dependabot-version-updates-actions-caveats.md b/data/reusables/actions/dependabot-version-updates-actions-caveats.md index a8eb2c49f42d..09462d310b06 100644 --- a/data/reusables/actions/dependabot-version-updates-actions-caveats.md +++ b/data/reusables/actions/dependabot-version-updates-actions-caveats.md @@ -1,3 +1,3 @@ * {% data variables.product.prodname_dependabot %} only supports updates to {% data variables.product.prodname_actions %} using the {% data variables.product.prodname_dotcom %} repository syntax, such as `{% data reusables.actions.action-checkout %}`. {% data variables.product.prodname_dependabot %} will ignore actions or reusable workflows referenced locally (for example, `./.github/actions/foo.yml`). * Docker Hub and {% data variables.product.prodname_registry %} {% data variables.product.prodname_container_registry %} URLs are currently not supported. For example, references to Docker container actions using `docker://` syntax aren't supported. -* {% data variables.product.prodname_dependabot %} supports both public and private repositories for {% data variables.product.prodname_actions %}. For private registry configuration options, see "`git`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git)." +* {% data variables.product.prodname_dependabot %} supports both public and private repositories for {% data variables.product.prodname_actions %}. For private registry configuration options, see "`git`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git)." diff --git a/data/reusables/dependabot/automatic-deactivation-link.md b/data/reusables/dependabot/automatic-deactivation-link.md new file mode 100644 index 000000000000..5d0efc38c356 --- /dev/null +++ b/data/reusables/dependabot/automatic-deactivation-link.md @@ -0,0 +1 @@ +When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped). diff --git a/data/reusables/dependabot/automatically-pause-dependabot-updates.md b/data/reusables/dependabot/automatically-pause-dependabot-updates.md index 3a3a1c08efc2..107f9f55e9a9 100644 --- a/data/reusables/dependabot/automatically-pause-dependabot-updates.md +++ b/data/reusables/dependabot/automatically-pause-dependabot-updates.md @@ -1,4 +1,4 @@ -When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. This automatic opt-out behavior reduces noise because {% data variables.product.prodname_dependabot %} doesn't create pull requests for version and security updates, and doesn't rebase {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. +When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. This automatic opt-out behavior means that {% data variables.product.prodname_dependabot %} no longer creates pull requests for version and security updates, and no longer rebases {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. The automatic deactivation of {% data variables.product.prodname_dependabot %} updates only applies to repositories where {% data variables.product.prodname_dependabot %} has opened pull requests but the pull requests remain untouched. If {% data variables.product.prodname_dependabot %} hasn't opened any pull requests, {% data variables.product.prodname_dependabot %} will never become paused. diff --git a/data/reusables/dependabot/configuration-options.md b/data/reusables/dependabot/configuration-options.md index 9b630ce68efd..45f4d56cfde2 100644 --- a/data/reusables/dependabot/configuration-options.md +++ b/data/reusables/dependabot/configuration-options.md @@ -1,30 +1,30 @@ | Option | Required | Security Updates | Version Updates | Description | |:---|:---:|:---:|:---:|:---| -| [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Package manager to use | -| [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests | +| [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Package manager to use | +| [`directory`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directory) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests | | {% ifversion dependabot-updates-multidirectory-support %} | -| [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Locations of package manifests (multiple directories) | +| [`directories`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Locations of package manifests (multiple directories) | | {% endif %} | -| [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | How often to check for updates | -| [`allow`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Customize which updates are allowed | -| [`assignees`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Assignees to set on pull requests | -| [`commit-message`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Commit message preferences | -| [`enable-beta-ecosystems`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#enable-beta-ecosystems) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Enable ecosystems that have {% data variables.release-phases.public_preview %}-level support | +| [`schedule.interval`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduleinterval) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | How often to check for updates | +| [`allow`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Customize which updates are allowed | +| [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Assignees to set on pull requests | +| [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Commit message preferences | +| [`enable-beta-ecosystems`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#enable-beta-ecosystems) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Enable ecosystems that have {% data variables.release-phases.public_preview %}-level support | | {% ifversion dependabot-version-updates-groups %} | -| [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-grouped-security-updates-config %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "check" aria-label="Supported" %} | Group updates for certain dependencies | +| [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-grouped-security-updates-config %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "check" aria-label="Supported" %} | Group updates for certain dependencies | | {% endif %} | -| [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | {% octicon "x" aria-label="Not supported" %} | See [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | See [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | Ignore certain dependencies or versions | -| [`insecure-external-code-execution`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#insecure-external-code-execution) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Allow or deny code execution in manifest files | -| [`labels`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#labels) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Labels to set on pull requests | -| [`milestone`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#milestone) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Milestone to set on pull requests | +| [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | {% octicon "x" aria-label="Not supported" %} | See [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | See [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | Ignore certain dependencies or versions | +| [`insecure-external-code-execution`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#insecure-external-code-execution) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Allow or deny code execution in manifest files | +| [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Labels to set on pull requests | +| [`milestone`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#milestone) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Milestone to set on pull requests | | [`open-pull-requests-limit`](#open-pull-requests-limit) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Limit number of open pull requests for version updates | -| [`pull-request-branch-name.separator`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pull-request-branch-nameseparator) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Change separator for pull request branch names | -| [`rebase-strategy`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Disable automatic rebasing | -| [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access| -| [`reviewers`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Reviewers to set on pull requests | -| [`schedule.day`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Day of week to check for updates | -| [`schedule.time`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduletime) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Time of day to check for updates (hh:mm) | -| [`schedule.timezone`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduletimezone) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Timezone for time of day (zone identifier) | -| [`target-branch`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Branch to create pull requests against | -| [`vendor`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#vendor) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Update vendored or cached dependencies | -| [`versioning-strategy`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | How to update manifest version requirements | +| [`pull-request-branch-name.separator`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-nameseparator) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Change separator for pull request branch names | +| [`rebase-strategy`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#rebase-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Disable automatic rebasing | +| [`registries`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#registries) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access| +| [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Reviewers to set on pull requests | +| [`schedule.day`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduleday) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Day of week to check for updates | +| [`schedule.time`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduletime) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Time of day to check for updates (hh:mm) | +| [`schedule.timezone`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduletimezone) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Timezone for time of day (zone identifier) | +| [`target-branch`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#target-branch) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Branch to create pull requests against | +| [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Update vendored or cached dependencies | +| [`versioning-strategy`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | How to update manifest version requirements | diff --git a/data/reusables/dependabot/default-labels.md b/data/reusables/dependabot/default-labels.md index 9294fb86c13e..000db286ca49 100644 --- a/data/reusables/dependabot/default-labels.md +++ b/data/reusables/dependabot/default-labels.md @@ -1 +1,5 @@ -By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. +By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. + +If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request, which indicates which language or ecosystem the pull request updates. For example, adding `java` for Gradle updates, or `submodules` for git submodule updates. + +{% data variables.product.prodname_dependabot %} creates the default labels it applies to pull requests if they do not already exist in the repository. If you want to use custom labels, you need to create these yourself. For more information, see: [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels). diff --git a/data/reusables/dependabot/dependabot-ignore-dependencies.md b/data/reusables/dependabot/dependabot-ignore-dependencies.md index 46e2514f3715..f6093d36d69f 100644 --- a/data/reusables/dependabot/dependabot-ignore-dependencies.md +++ b/data/reusables/dependabot/dependabot-ignore-dependencies.md @@ -1,4 +1,4 @@ If you want to ignore updates for the dependency, you must do one of the following. -* Configure an `ignore` rule for the dependency in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." +* Configure an `ignore` rule for the dependency in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore)." * Use the `@dependabot ignore` comment command for the dependency in the pull request for the grouped updates. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands)." diff --git a/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md b/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md index b557e5b47bfa..9107da907c7b 100644 --- a/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md +++ b/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md @@ -1,3 +1,3 @@ {% ifversion dependabot-on-actions-self-hosted %} -To have greater control over {% data variables.product.prodname_dependabot %}'s access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)." +To have greater control over {% data variables.product.prodname_dependabot %}'s access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" and "[AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners)." {% endif %} diff --git a/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md index 72659bdb4c64..f2dd5ede3d30 100644 --- a/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md +++ b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md @@ -4,6 +4,6 @@ By default, {% data variables.product.prodname_actions %} workflow runs that are There are three ways to resolve this problem: -1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." -1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)." +1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). +1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). 1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`. diff --git a/data/reusables/dependabot/dependabot-updates-registries-options.md b/data/reusables/dependabot/dependabot-updates-registries-options.md index 61288fd2917d..d6461390a2d6 100644 --- a/data/reusables/dependabot/dependabot-updates-registries-options.md +++ b/data/reusables/dependabot/dependabot-updates-registries-options.md @@ -1,11 +1,9 @@ You use the following options to specify access settings. Registry settings must contain a `type` and a `url`, and typically either a `username` and `password` combination or a `token`. -| Option                 | Description | +| Parameters | Purpose | |:---|:---| -| `type` | Identifies the type of registry. For more information about the available registry types, see "[`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries)." For further details about the configuration of private registries specifically, see "[Configuration options for private registries](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."| -| `url` | The URL to use to access the dependencies in this registry. The protocol is optional. If not specified, `https://` is assumed. {% data variables.product.prodname_dependabot %} adds or ignores trailing slashes as required. | -| `username` | The username that {% data variables.product.prodname_dependabot %} uses to access the registry.
`username` is the username or email address for the account. | -| `password` | A reference to a {% data variables.product.prodname_dependabot %} secret containing the password for the specified user. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."
`password` is the password for the account specified by the username. {% data reusables.dependabot.password-definition %} | -| `key` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access key for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)." | -| `token` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access token for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."
`token` is used to provide an access token for an external system and should not be used to provide a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}. If you want to use a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, you should supply it as a password. | -| `replaces-base` | For registries, if the boolean value is `true`, {% data variables.product.prodname_dependabot %} will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). | +| `REGISTRY_NAME` | **Required:** Defines an identifier for the registry. | +| `type` | **Required:** Identifies the type of registry.| +| Authentication details | **Required:** The parameters supported for supplying authentication details vary for registries of different types. | +| `url` | **Required:** The URL to use to access the dependencies in this registry. The protocol is optional. If not specified, `https://` is assumed. {% data variables.product.prodname_dependabot %} adds or ignores trailing slashes as required. | +| `replaces-base` | If the boolean value is `true`, {% data variables.product.prodname_dependabot %} resolves dependencies using the specified `url` rather than the base URL of that ecosystem. | diff --git a/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md b/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md index 8c6d05c7a7a8..7665a7cd2137 100644 --- a/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md +++ b/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md @@ -1,6 +1,6 @@ {% data variables.product.prodname_dependabot %} recognizes a variety of versioning tags for pre-releases, stable versions, and custom tags across different ecosystems. -The `dependabot.yml` file doesn't control the versioning tags that you can use, but you can define in configuration options such as [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) the supported versioning tags you want to ignore updates for. +The `dependabot.yml` file doesn't control the versioning tags that you can use, but you can define in configuration options such as [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) the supported versioning tags you want to ignore updates for. #### Supported versioning tags diff --git a/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md b/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md index 022e01b0423d..0d567ae9d4ea 100644 --- a/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md +++ b/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md @@ -1,35 +1,45 @@ -#### Example 1 +### Example 1: Three version update groups -The `dependabot.yml` file configuration uses `patterns` and `dependency-type` options to include specific dependencies in the group, and `exclude-patterns` to exclude a dependency (or multiple dependencies) from the group.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule defaults to applying to version updates only, since the `applies-to` key is absent.{% endif %} +In this example, the `dependabot.yml` file: +* Creates three groups, called "`production-dependencies`", "`development-dependencies`", and "`rubocop`". +* Uses `patterns` and `dependency-type` to include dependencies in the group. +* Uses `exclude-patterns` to exclude a dependency (or multiple dependencies) from the group. ```yaml -# `dependabot.yml` file using the `dependency-type` option to group updates -# in conjunction with `patterns` and `exclude-patterns`. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules default to applying to version updates only, since -# the `applies-to` key is absent.{%- endif %} - -groups: - production-dependencies: - dependency-type: "production" - development-dependencies: - dependency-type: "development" - exclude-patterns: - - "rubocop*" - rubocop: - patterns: - - "rubocop*" +version: 2 +updates: + # Keep bundler dependencies up to date + - package-ecosystem: "bundler" + directory: "/" + schedule: + interval: "weekly" + groups: + production-dependencies: + dependency-type: "production" + development-dependencies: + dependency-type: "development" + exclude-patterns: + - "rubocop*" + rubocop: + patterns: + - "rubocop*" ``` -#### Example 2 +As a result: +* Version updates are grouped by dependency type. +* Development dependencies matching the pattern `rubocop*` are excluded from the `development-dependencies` group. +* Instead, development dependencies matching `rubocop*` will be included in the `rubocop` group. Due to the ordering, production dependencies matching `rubocop*` will be included in the `production-dependencies` group.{% ifversion dependabot-grouped-security-updates-config %} +* In addition, all groups default to applying to version updates only, since the `applies-to` key is absent.{% endif %} -A `dependabot.yml` file with a customized Bundler configuration, which has been modified to create a group of dependencies. The configuration specifies `patterns` (strings of characters) that match with the name of a dependency (or multiple dependencies) in order to include the dependencies in the group.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule applies to version updates only, since `applies-to: version-updates` is used.{% endif %} +### Example 2: Grouped updates with excluded dependencies -```yaml -# `dependabot.yml` file with customized Bundler configuration -# In this example, the name of the group is `dev-dependencies`, and -# only the `patterns` and `exclude-patterns` options are used. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules apply to version updates only.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates a group called "`support-dependencies`", as part of a customized Bundler configuration. +* Uses `patterns` that match with the name of a dependency (or multiple dependencies) to include dependencies in the group. +* Uses `exclude-patterns` that match with the name of a dependency (or multiple dependencies) to exclude dependencies from the group. {% ifversion dependabot-grouped-security-updates-config %} +* Applies the grouping to version updates only, since `applies-to: version-updates` is used.{% endif %} +```yaml version: 2 updates: # Keep bundler dependencies up to date @@ -43,34 +53,38 @@ updates: interval: "weekly" # Create a group of dependencies to be updated together in one pull request groups: - # Specify a name for the group, which will be used in pull request titles - # and branch names - dev-dependencies: - # Define patterns to include dependencies in the group (based on - # dependency name){% ifversion dependabot-grouped-security-updates-config %} - applies-to: version-updates # Applies the group rule to version updates{%- endif %} - patterns: - - "rubocop" # A single dependency name - - "rspec*" # A wildcard string that matches multiple dependency names - - "*" # A wildcard that matches all dependencies in the package - # ecosystem. Note: using "*" may open a large pull request - # Define patterns to exclude dependencies from the group (based on - # dependency name) - exclude-patterns: - - "gc_ruboconfig" - - "gocardless-*" + # Specify a name for the group, which will be used in pull request titles + # and branch names + support-dependencies: + # Define patterns to include dependencies in the group (based on + # dependency name){% ifversion dependabot-grouped-security-updates-config %} + applies-to: version-updates # Applies the group rule to version updates{%- endif %} + patterns: + - "rubocop" # A single dependency name + - "rspec*" # A wildcard string that matches multiple dependency names + - "*" # A wildcard that matches all dependencies in the package + # ecosystem. Note: using "*" may open a large pull request + # Define patterns to exclude dependencies from the group (based on + # dependency name) + exclude-patterns: + - "gc_ruboconfig" + - "gocardless-*" ``` -#### Example 3 +As a result: +* The majority of dependencies for bundler are consolidated into the `support-dependencies` group due to the wildcard ("*") pattern, apart from +* Dependencies that match `gc_ruboconfig` and `gocardless-*` are excluded from the group, and {% data variables.product.prodname_dependabot %} continues to raise single pull requests for these dependencies. This can be helpful if updates for these dependencies need to be reviewed with closer scrutiny. +* For `support-dependencies`, {% data variables.product.prodname_dependabot %} will only raise pull requests for version updates. -The `dependabot.yml` file is configured so that any packages matching the pattern `@angular*` where the highest resolvable version is `minor` or `patch` will be grouped together. {% data variables.product.prodname_dependabot %} will create a separate pull request for any package that doesn't match the pattern, or that doesn't update to a `minor` or `patch` version.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule applies to version updates only, since `applies-to: version-updates` is used.{% endif %} +### Example 3: Individual pull requests for major updates and grouped for minor/patch updates -```yaml -# `dependabot.yml` file using the `update-types` option to group updates. -# Any packages matching the pattern @angular* where the highest resolvable -# version is minor or patch will be grouped together. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules apply to version updates only.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates a group called "`angular`". +* Uses `patterns` that match with the name of a dependency to include dependencies in the group. +* Uses `update-type` to only include `minor` or `patch` updates in the group.{% ifversion dependabot-grouped-security-updates-config %} +* Applies the grouping to version updates only, since `applies-to: version-updates` is used.{% endif %} +```yaml version: 2 updates: - package-ecosystem: "npm" @@ -78,41 +92,58 @@ updates: schedule: interval: "weekly" groups: + # Specify a name for the group, which will be used in pull request titles + # and branch names angular:{% ifversion dependabot-grouped-security-updates-config %} applies-to: version-updates{%- endif %} patterns: - - "@angular*" + - "@angular*" update-types: - - "minor" - - "patch" + - "minor" + - "patch" ``` -#### Example 4 +As a result: +* {% data variables.product.prodname_dependabot %} will create a grouped pull request for all Angular dependencies that have a minor or patch update. +* All major updates will continue to be raised as individual pull requests. -The `dependabot.yml` file uses an `ignore` condition to exclude updates to `major` versions of `@angular*` packages.{% ifversion dependabot-grouped-security-updates-config %} Two grouping rules are specified, one for version updates and one for security updates.{% endif %} +### Example 4: Grouped pull requests for minor/patch updates and no pull requests for major updates -```yaml -# `dependabot.yml` file using the `update-types` option to group updates -# in conjunction with an `ignore` condition. If you do not want updates -# to `major` versions of `@angular*` packages, you can specify an `ignore` condition. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules for both version updates and security updates are specified.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates two groups called "`angular`" and "`minor-and-patch`". {% ifversion dependabot-grouped-security-updates-config %} +* Uses `applies-to` so that the first group applies to version updates only, and the second group applies to security updates only.{% endif %} +* Uses `update-type` to only include `minor` or `patch` updates for both groups. +* Uses an `ignore` condition to exclude updates to `major` versions of `@angular*` packages. -groups: - angular:{% ifversion dependabot-grouped-security-updates-config %} - applies-to: version-updates{%- endif %} - patterns: - - "@angular*" - update-types: - - "minor" - - "patch"{% ifversion dependabot-grouped-security-updates-config %} - minor-and-patch: - applies-to: security-updates - patterns: - - "@angular*" - update-types: - - "patch" - - "minor"{%- endif %} -ignore: - - dependency-name: "@angular*" - update-types: ["version-update:semver-major"] +```yaml +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + groups: + angular:{% ifversion dependabot-grouped-security-updates-config %} + applies-to: version-updates{%- endif %} + patterns: + - "@angular*" + update-types: + - "minor" + - "patch"{% ifversion dependabot-grouped-security-updates-config %} + minor-and-patch: + applies-to: security-updates + patterns: + - "@angular*" + update-types: + - "patch" + - "minor"{%- endif %} + ignore: + - dependency-name: "@angular*" + update-types: ["version-update:semver-major"] ``` + +As a result: +* Minor and patch version updates for Angular dependencies are grouped into a single pull request. +* Minor and patch security updates for Angular dependencies are also grouped together into a single pull request. +* {% data variables.product.prodname_dependabot %} won't automatically open pull requests for major updates for Angular. diff --git a/data/reusables/dependabot/initial-updates.md b/data/reusables/dependabot/initial-updates.md index 53fa255a04d0..5df2a5fe876b 100644 --- a/data/reusables/dependabot/initial-updates.md +++ b/data/reusables/dependabot/initial-updates.md @@ -3,6 +3,6 @@ When you first enable version updates, you may have many dependencies that are o {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %} {% data variables.product.prodname_dependabot %} may also create pull requests when you change a manifest file after an update has failed. This is because changes to a manifest, such as removing the dependency that caused the update to fail, may cause the newly triggered update to succeed.{% endif %} -To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the [`open-pull-requests-limit` configuration option](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). +To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the [`open-pull-requests-limit` configuration option](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit). -{% ifversion dependabot-version-updates-groups %}To further reduce the number of pull requests you may be seeing, you can use the [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration option to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many dependencies as possible in the group to the latest versions at the same time.{% endif %} +{% ifversion dependabot-version-updates-groups %}To further reduce the number of pull requests you may be seeing, you can use the [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration option to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many dependencies as possible in the group to the latest versions at the same time.{% endif %} diff --git a/data/reusables/dependabot/link-to-yml-config-file.md b/data/reusables/dependabot/link-to-yml-config-file.md index e5092818e0e5..9b4e51426a04 100644 --- a/data/reusables/dependabot/link-to-yml-config-file.md +++ b/data/reusables/dependabot/link-to-yml-config-file.md @@ -1 +1 @@ -For information about the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +For information about the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). diff --git a/data/reusables/dependabot/no-security-impact-if-not-default-branch.md b/data/reusables/dependabot/no-security-impact-if-not-default-branch.md new file mode 100644 index 000000000000..4a9b7585feaa --- /dev/null +++ b/data/reusables/dependabot/no-security-impact-if-not-default-branch.md @@ -0,0 +1,2 @@ +> [!TIP] +> For security updates, this option has an impact only if this `package-ecosystem` creates pull requests against the default branch for the repository. This option has no impact if `target-branch` is used to define updates to a non-default branch. diff --git a/data/reusables/dependabot/private-dependencies-note.md b/data/reusables/dependabot/private-dependencies-note.md index a41e520c2d54..bbe8c194ca62 100644 --- a/data/reusables/dependabot/private-dependencies-note.md +++ b/data/reusables/dependabot/private-dependencies-note.md @@ -1 +1 @@ -When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)." You can configure access to private registries in a repository's `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)." +When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)." You can configure access to private registries in a repository's `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#configuration-options-for-private-registries)." diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 7fe7b7e82a55..5dc9929b6d99 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -69,9 +69,9 @@ Features in any valid dev container location will be updated in a single pull re In order for {% data variables.product.prodname_dependabot %} to fetch Docker metadata, maintainers of Docker images must add the `org.opencontainers.image.source` label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the [`dependabot-fixtures/docker-with-source`](https://github.com/dependabot-fixtures/docker-with-source) repository. For more information on Docker labels, see [Extension image labels](https://docs.docker.com/desktop/extensions-sdk/extensions/labels/) and [BUILDX_GIT_LABELS](https://docs.docker.com/build/building/env-vars/#buildx_git_labels) in the Docker documentation. {% endif %} -{% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker `package-ecosystem` element of your `dependabot.yml` file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your `dependabot.yml` file for `docker`, see "`package-ecosystem`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)." +{% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker `package-ecosystem` element of your `dependabot.yml` file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your `dependabot.yml` file for `docker`, see "`package-ecosystem`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem)." -{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "`docker-registry`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." +{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "`docker-registry`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry)." {% endif %} {% data variables.product.prodname_dependabot %} parses Docker image tags for Semantic Versioning ([SemVer](https://semver.org/)). If {% data variables.product.prodname_dependabot %} detects a tag with a pre-release, then it will only suggest an update to the latest version with a matching pre-release, and it will not suggest a newer version that use a different pre-release label. For more information, see the `dependabot-docker` [README.md](https://github.com/dependabot/dependabot-core/blob/main/docker/README.md) file in the `dependabot/dependabot-core` repository. @@ -152,7 +152,7 @@ Private registry support applies to git registries only. Swift registries are no Terraform support includes: * Modules hosted on Terraform Registry or a publicly reachable Git repository. * Terraform providers. -* Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git). +* Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git). #### yarn diff --git a/data/reusables/dependabot/working-with-actions-considerations.md b/data/reusables/dependabot/working-with-actions-considerations.md new file mode 100644 index 000000000000..6fdeebef6d89 --- /dev/null +++ b/data/reusables/dependabot/working-with-actions-considerations.md @@ -0,0 +1 @@ +{% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently.