diff --git a/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md b/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md index 371e473f52ea..dbf493149ffe 100644 --- a/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md +++ b/content/admin/managing-code-security/managing-supply-chain-security-for-your-enterprise/configuring-dependabot-to-work-with-limited-internet-access.md @@ -19,7 +19,7 @@ redirect_from: You can use {% data variables.product.prodname_dependabot_updates %} to fix vulnerabilities and keep dependencies updated to the latest version in {% data variables.product.prodname_ghe_server %}. {% data variables.product.prodname_dependabot_updates %} require {% data variables.product.prodname_actions %} with self-hosted runners set up for {% data variables.product.prodname_dependabot %} to use. {% data variables.product.prodname_dependabot %} alerts and security updates use information from the {% data variables.product.prodname_advisory_database %} accessed using {% data variables.product.prodname_github_connect %}. For more information, see [AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates) and [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). -{% data reusables.dependabot.private-registry-support %} Alternatively, if your instance has limited or no internet access, you can configure {% data variables.product.prodname_dependabot %} to use only private registries as a source for security and version updates. For information on which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries#about-configuring-dependabot-to-only-access-private-registries). +{% data reusables.dependabot.private-registry-support %} Alternatively, if your instance has limited or no internet access, you can configure {% data variables.product.prodname_dependabot %} to use only private registries as a source for security and version updates. For information on which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries#about-configuring-dependabot-to-only-access-private-registries). The instructions below assume that you need to set up {% data variables.product.prodname_dependabot %} runners with the following limitations. * No internet access. @@ -54,7 +54,8 @@ Before configuring {% data variables.product.prodname_dependabot %}, install Doc ## Verifying the configuration of {% data variables.product.prodname_dependabot %} runners -1. For a test repository, configure {% data variables.product.prodname_dependabot %} to access private registries and remove access to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +1. For a test repository, configure {% data variables.product.prodname_dependabot %} to access private registries and remove access to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). + 1. In the **Insights** tab for the repository, click **Dependency graph** to display details of the dependencies. 1. Click **{% data variables.product.prodname_dependabot %}** to display the ecosystems configured for version updates. 1. For ecosystems that you want to test, click **Last checked TIME ago** to display the "Update logs" view. @@ -62,4 +63,4 @@ Before configuring {% data variables.product.prodname_dependabot %}, install Doc When the check for updates is complete, you should check the "Update logs" view to verify that {% data variables.product.prodname_dependabot %} accessed the configured private registries on your instance to check for version updates. -After you have verified that the configuration is correct, ask repository administrators to update their {% data variables.product.prodname_dependabot %} configurations to use private registries only. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +After you have verified that the configuration is correct, ask repository administrators to update their {% data variables.product.prodname_dependabot %} configurations to use private registries only. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). diff --git a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md index 9ccc7a247b7a..579756c2e78f 100644 --- a/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md +++ b/content/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts.md @@ -82,7 +82,7 @@ The alert details page of alerts on development-scoped packages shows a "Tags" s 1. Click the alert that you would like to view. 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). - ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) + ![Screenshot of the right sidebar of a {% data variables.product.prodname_dependabot %} alert. A link, titled "Suggest improvements for this advisory...", is outlined in orange.](/assets/images/help/dependabot/dependabot-improve-security-advisory.png) ## Reviewing and fixing alerts @@ -121,7 +121,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert 1. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later. 1. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [AUTOTITLE](/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation. - ![Screenshot of the page for a Dependabot alert, with the "Dismiss" dropdown and the option to add a dismissal comment highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-alerts-dismissal-comment.png) + ![Screenshot of a {% data variables.product.prodname_dependabot %} alert page, with the "Dismiss" dropdown and the option to add a dismissal comment outlined in orange.](/assets/images/help/repository/dependabot-alerts-dismissal-comment.png) 1. Click **Dismiss alert**. @@ -134,7 +134,7 @@ If you schedule extensive work to upgrade a dependency, or decide that an alert 1. Optionally, at the top of the list of alerts, select all alerts on the page. ![Screenshot of the header section of the {% data variables.product.prodname_dependabot_alerts %} view. The "Select all" checkbox is highlighted with a dark orange outline.](/assets/images/help/graphs/select-all-alerts.png) 1. Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts. - ![Screenshot of a list of alerts. Below the "Dismiss alerts" button, a dropdown labeled "Select a reason to dismiss" is expanded. The dropdown contains radio buttons for various options.](/assets/images/help/graphs/dismiss-multiple-alerts.png) + ![Screenshot of a list of alerts. Below the "Dismiss alerts" button, a dropdown labeled "Select a reason to dismiss" is expanded.](/assets/images/help/graphs/dismiss-multiple-alerts.png) ## Viewing and updating closed alerts @@ -166,4 +166,4 @@ When a member of your organization {% ifversion not fpt %}or enterprise {% endif ![Screenshot of the audit log showing Dependabot alerts.](/assets/images/help/dependabot/audit-log-ui-dependabot-alert.png) -Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert).{% else %}."{% endif %} +Events in your audit log for {% data variables.product.prodname_dependabot_alerts %} include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the {% data variables.product.prodname_dependabot_alerts %} actions, see the `repository_vulnerability_alert` category in [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert){% ifversion not fpt %} and [AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#repository_vulnerability_alert).{% else %}.{% endif %} diff --git a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md index 85bed65e8ce9..2ecbf9d7cf92 100644 --- a/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md @@ -43,18 +43,18 @@ If you enable {% data variables.product.prodname_dependabot_security_updates %}, {% data variables.product.prodname_dotcom %} may send {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %} -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included). > [!NOTE] -> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). +> For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert). You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). {% data reusables.dependabot.pull-request-security-vs-version-updates %} -If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-the-dependabotyml-file). +If you enable _{% data variables.product.prodname_dependabot_security_updates %}_, parts of the configuration may also affect pull requests created for _{% data variables.product.prodname_dependabot_version_updates %}_. This is because some configuration settings are common to both types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). {% data reusables.dependabot.dependabot-updates-prs-and-actions %} @@ -95,7 +95,7 @@ For security updates, {% data variables.product.prodname_dependabot %} will only ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} -{% data reusables.dependabot.automatically-pause-dependabot-updates %} +{% data reusables.dependabot.automatic-deactivation-link %} ## About notifications for {% data variables.product.prodname_dependabot %} security updates diff --git a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md index c927fcdc33c2..955f6ea95b26 100644 --- a/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md +++ b/content/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates.md @@ -113,9 +113,9 @@ Use the `groups` option with the `applies-to: security-updates` key to create se If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`. -For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). -```yaml +```yaml copy # Example configuration file that: # - Has a private registry # - Ignores lodash dependency diff --git a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md new file mode 100644 index 000000000000..480575000840 --- /dev/null +++ b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md @@ -0,0 +1,174 @@ +--- +title: Customizing pull requests for Dependabot security updates +intro: 'Learn how to customize Dependabot pull requests for security updates to align with your project''s security priorities and workflows.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Security updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Customize Dependabot PRs +--- + +## About customizing pull requests for security updates + +You can customize how {% data variables.product.prodname_dependabot %} raises pull requests for security updates, so that they best fit your project's security priorities and processes. For example: +* **Optimize {% data variables.product.prodname_dependabot %} pull requests to prioritize meaningful updates** by grouping multiple updates into a single pull request. +* Applying custom labels to **integrate {% data variables.product.prodname_dependabot %}'s pull requests** into your existing workflows. + +Similar to version updates, customization options for security updates are defined in the `dependabot.yml` file. If you have already customized the `dependabot.yml` for version updates, then many of the configuration options that you have defined could automatically apply to security updates, too. However, there's a couple of important points to note: +* {% data variables.product.prodname_dependabot_security_updates %} are **always triggered by a security advisory**, rather than running according to the `schedule` you have set in the `dependabot.yml` for version updates. +* {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If your configuration sets a value for `target-branch`, then the customization for that package ecosystem will only apply to version updates by default. + +If you haven't yet configured a `dependabot.yml` file for your repository and you want to customize pull requests for security updates, you must first: +* Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). +* Set all the required keys. For more information, see [Required keys](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#required-keys). +* If you want the customization for a package ecosystem to **only apply to security updates** (and exclude version updates), set the `open-pull-requests-limit` key to `0`. + +You can then consider what your needs and priorities are for security updates, and apply a combination of the customization options outlined below. + +{% ifversion dependabot-grouped-security-updates-config %} + +## Prioritizing meaningful updates + +To create a more **targeted review process** that prioritizes meaningful updates, use `groups` to combine security updates for multiple dependencies into a single pull request. + +For detailed guidance, see [Prioritizing meaningful updates](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates). + +{% endif %} + +## Automatically adding reviewers and assignees + +To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests. + +For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees). + +## Labeling pull requests with custom labels + +To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request. + +For detailed guidance, see [Labeling pull requests with custom labels](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#labeling-pull-requests-with-custom-labels). + +## Adding a prefix to commit messages + +To **integrate** with automations that process commit messages or pull requests titles, use `commit-message` to specify the prefix that you want for commit messages and pull request titles. + +For detailed guidance, see [Adding a prefix to commit messages](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#adding-a-prefix-to-commit-messages). + +## Associating pull requests with a milestone + +To **track progress** towards a project goal or release, use `milestone` to associate {% data variables.product.prodname_dependabot %}'s pull requests with a milestone. + +For detailed guidance, see [Associating pull requests with a milestone](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#associating-pull-requests-with-a-milestone). + +## Changing the separator in the pull request branch name + +To ensure your **branch names align** with your team's existing conventions, use `pull-request-branch-name.separator` to specify the separator you want {% data variables.product.prodname_dependabot %} to use for branch names. + +For detailed guidance, see [Changing the separator in the pull request branch name](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#changing-the-separator-in-the-pull-request-branch-name). + +## Example 1: configuration for security updates only + +In this example, the `dependabot.yml` file: +* Uses a private registry for updates to npm dependencies. +* Disables version updates for dependencies, so that any customizations apply to security updates only. +* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds reviewers and assignees.{% ifversion dependabot-grouped-security-updates-config %} +* Groups security updates for golang dependencies into a single pull request.{% endif %} + +```yaml copy +# Example configuration file that: +# - Uses a private registry for npm updates +# - Ignores lodash dependency +# - Disables version-updates +# - Applies custom labels +# - Adds reviewers and assignees +{% ifversion dependabot-grouped-security-updates-config %}# - Group security updates for golang dependencies into a single pull request{%- endif %} + +version: 2 +registries: + # Define a private npm registry with the name `example` + example: + type: npm-registry + url: https://example.com + token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %} +updates: + - package-ecosystem: "npm" + directory: "/src/npm-project" + schedule: + interval: "daily" + # For Lodash, ignore all updates + ignore: + - dependency-name: "lodash" + # Disable version updates for npm dependencies + open-pull-requests-limit: 0 + registries: + # Ask Dependabot to use the private registry for npm + - example + # Raise all npm pull requests for security updates with custom labels + labels: + - "npm dependencies" + - "triage-board" + # Raise all npm pull requests for security updates with reviewers + reviewers: + - "my-org/team-name" + - "octocat" + # Raise all npm pull requests for security updates with assignees + assignees: + - "user-name" + {% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod" + groups: + # Group security updates for golang dependencies + # into a single pull request + golang: + applies-to: security-updates + patterns: + - "golang.org*"{% endif %} +``` + +## Example 2: configuration for version updates and security updates + +In this example, the `dependabot.yml` file: +* Is customized so that {% data variables.product.prodname_dependabot %} adds reviewers and custom labels to both version updates and security updates.{% ifversion dependabot-grouped-security-updates-config %} +* Uses the `groups` customization option to create two groups ("`angular`" and "`production-dependencies`") in order to group multiple updates into single pull requests. +* Specifies that the `groups` customization for `angular` applies to security updates only. +* Specifies that the `groups` customization for `production-dependencies` applies to version updates only.{% endif %} + +```yaml copy +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" +# Raise all npm pull requests for security and version updates with custom labels + labels: + - "npm dependencies" + - "triage-board" + # Raise all npm pull requests for security and version updates with reviewers + reviewers: + - "my-org/team-name" + - "octocat"{% ifversion dependabot-grouped-security-updates-config %} + groups: + angular: + # Group security updates for Angular dependencies into a single pull request + applies-to: security-updates + patterns: + - "@angular*" + production-dependencies: + # Group version updates for dependencies of type "production" into a single pull request + applies-to: version-updates + dependency-type: "production"{%- endif %} +``` + +## Further reading + +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference) +* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) diff --git a/content/code-security/dependabot/dependabot-security-updates/index.md b/content/code-security/dependabot/dependabot-security-updates/index.md index 93a6f622bd8f..3877a1c866f8 100644 --- a/content/code-security/dependabot/dependabot-security-updates/index.md +++ b/content/code-security/dependabot/dependabot-security-updates/index.md @@ -16,5 +16,5 @@ shortTitle: Dependabot security updates children: - /about-dependabot-security-updates - /configuring-dependabot-security-updates + - /customizing-dependabot-security-prs --- - diff --git a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md index a809edb1b1b3..c7d111b1f1d1 100644 --- a/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md @@ -52,7 +52,7 @@ If you enable _security updates_, {% data variables.product.prodname_dependabot You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly. -{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). +{% data reusables.dependabot.initial-updates %} {% ifversion dependabot-version-updates-groups %}For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. @@ -60,9 +60,7 @@ If you've enabled security updates, you'll sometimes see extra pull requests for ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} -{% data reusables.dependabot.automatically-pause-dependabot-updates %} - -{% data variables.product.prodname_dependabot %} also stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests. +{% data reusables.dependabot.automatic-deactivation-link %} ## About notifications for {% data variables.product.prodname_dependabot %} version updates diff --git a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md deleted file mode 100644 index c51b26be00bb..000000000000 --- a/content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md +++ /dev/null @@ -1,1410 +0,0 @@ ---- -title: Configuration options for the dependabot.yml file -intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.' -permissions: '{% data reusables.permissions.dependabot-yml-configure %}' -allowTitleToDifferFromFilename: true -redirect_from: - - /github/administering-a-repository/configuration-options-for-dependency-updates - - /code-security/supply-chain-security/configuration-options-for-dependency-updates - - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates -versions: - fpt: '*' - ghec: '*' - ghes: '*' -type: reference -topics: - - Dependabot - - Version updates - - Repositories - - Dependencies - - Pull requests -shortTitle: Configure dependabot.yml ---- - -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About the `dependabot.yml` file - -The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). - -You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). - -Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). - -> [!NOTE] -> You cannot configure {% data variables.product.prodname_dependabot_alerts %} using the `dependabot.yml` file. - -The `dependabot.yml` file has two mandatory top-level keys: `version`, and `updates`. You can, optionally, include a top-level `registries` key. The file must start with `version: 2`. - -For a real-world example of `dependabot.yml` file, see [{% data variables.product.prodname_dependabot %}'s own configuration file](https://github.com/dependabot/dependabot-core/blob/main/.github/dependabot.yml). - -## Configuration options for the `dependabot.yml` file - -The top-level `updates` key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. You can use the following options. - -{% data reusables.dependabot.configuration-options %} -{% ifversion dependabot-updates-multidirectory-support %} - -{% data reusables.dependabot.directory-directories-required %} - -{% endif %} -These options fit broadly into the following categories. - -* Essential set up options that you must include in all configurations: [`package-ecosystem`](#package-ecosystem), [`directory`](#directory){% ifversion dependabot-updates-multidirectory-support %} or [`directories`](#directories){% endif %},[`schedule.interval`](#scheduleinterval). -* Options to customize the update schedule: [`schedule.time`](#scheduletime), [`schedule.timezone`](#scheduletimezone), [`schedule.day`](#scheduleday). -* Options to control which dependencies are updated: [`allow`](#allow), {% ifversion dependabot-version-updates-groups %}[`groups`](#groups),{% endif %} [`ignore`](#ignore), [`vendor`](#vendor). -* Options to add metadata to pull requests: [`reviewers`](#reviewers), [`assignees`](#assignees), [`labels`](#labels), [`milestone`](#milestone). -* Options to change the behavior of the pull requests: [`target-branch`](#target-branch), [`versioning-strategy`](#versioning-strategy), [`commit-message`](#commit-message), [`rebase-strategy`](#rebase-strategy), [`pull-request-branch-name.separator`](#pull-request-branch-nameseparator). - -In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option changes the maximum number of pull requests for version updates that {% data variables.product.prodname_dependabot %} can open. - -> [!NOTE] -> Some of these configuration options may also affect pull requests raised for security updates of vulnerable package manifests. -> -> Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options. -> -> In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). - -### `package-ecosystem` - -**Required**. You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. - -If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. - -If you want to allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you can include a `registries` setting in the configuration file. For more information, see [`registries`](#registries) below.{% ifversion ghes %} - -> [!NOTE] -> Enterprise owners can download the most recent version of the [{% data variables.product.prodname_dependabot %} action](https://github.com/github/dependabot-action) to get the best ecosystem coverage. {% data reusables.actions.action-bundled-actions %} - -{% endif %} - -{% data reusables.dependabot.supported-package-managers %} - -#### Example of a basic setup for three package managers - -```yaml -# Basic set up for three package managers - -version: 2 -updates: - - # Maintain dependencies for GitHub Actions - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - interval: "weekly" - - # Maintain dependencies for npm - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - - # Maintain dependencies for Composer - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" -``` - -### `directory` - -**Required**. You must define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). You define the directory relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}. - -{% ifversion dependabot-updates-multidirectory-support %} - -{% data reusables.dependabot.directories-option-overview %} For more information, see [`directories`](#directories). - -{% data reusables.dependabot.directory-directories-required %} - -{% endif %} - -For {% data variables.product.prodname_actions %}, you do not need to set the directory to `/.github/workflows`. Configuring the key to `/` automatically instructs {% data variables.product.prodname_dependabot %} to search the `/.github/workflows` directory, as well as the _action.yml_ / _action.yaml_ file from the root directory. - -```yaml -# Specify location of manifest files for each package manager - -version: 2 -updates: - - package-ecosystem: "composer" - # Files stored in repository root - directory: "/" - schedule: - interval: "weekly" - - - package-ecosystem: "npm" - # Files stored in `app` directory - directory: "/app" - schedule: - interval: "weekly" - - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - interval: "weekly" -``` - -{% ifversion dependabot-updates-multidirectory-support %} - -### `directories` - -**Required**. You must define the locations of the package manifests for each package manager. You define directories relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}. The `directories` option contains a list of strings representing directories. - -{% data reusables.dependabot.directory-directories-required %} - -```yaml -# Specify locations of manifest files for each package manager using `directories` - -version: 2 -updates: - - package-ecosystem: "bundler" - directories: - - "/frontend" - - "/backend" - - "/admin" - schedule: - interval: "weekly" -``` - -{% data reusables.dependabot.directories-option-overview %} - -{% data reusables.dependabot.directory-vs-directories-guidance %} - -```yaml -# Specify locations of manifest files for each package manager using both `directories` and `directory` - -version: 2 -updates: - - package-ecosystem: "bundler" - directories: - - "/frontend" - - "/backend" - - "/admin" - schedule: - interval: "weekly" - - package-ecosystem: "bundler" - directory: "/" - schedule: - interval: "daily" -``` - -> [!NOTE] -> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key. - -```yaml -# Specify the root directory and directories that start with "lib-", using globbing, for locations of manifest files - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "/" - - "/lib-*" - schedule: - interval: "weekly" -``` - -```yaml -# Specify the root directory and directories in the root directory as the location of manifest files using the wildcard character - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "*" - schedule: - interval: "weekly" -``` - -```yaml -# Specify all directories from the current layer and below recursively, using globstar, for locations of manifest files - -version: 2 -updates: - - package-ecosystem: "composer" - directories: - - "**/*" - schedule: - interval: "weekly" -``` - -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about grouping, see [`groups`](#groups). - -{% endif %} - -### `schedule.interval` - -**Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone). - -> [!NOTE] -> The `schedule.time` option is a best effort, and it may take some time before {% data variables.product.prodname_dependabot %} opens pull requests to update to newer dependency versions. - -| Interval types | Frequency | -|----------------|-----------| -| `daily` | Runs on every weekday, Monday to Friday.| -| `weekly`| Runs once each week. By default, this is on Monday. To modify this, use [`schedule.day`](#scheduleday).| -| `monthly` | Runs once each month. This is on the first day of the month. | - -```yaml -# Set update schedule for each package manager - -version: 2 -updates: - - - package-ecosystem: "github-actions" - # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.) - directory: "/" - schedule: - # Check for updates to GitHub Actions every weekday - interval: "daily" - - - package-ecosystem: "composer" - directory: "/" - schedule: - # Check for updates managed by Composer once a week - interval: "weekly" -``` - -> [!NOTE] -> `schedule` defines when {% data variables.product.prodname_dependabot %} attempts a new update. However, it's not the only time you may receive pull requests. Updates can be triggered based on changes to your `dependabot.yml` file, {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %}changes to your manifest file(s) after a failed update, {% endif %}or {% data variables.product.prodname_dependabot_security_updates %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). -> -> {% data reusables.dependabot.version-updates-skip-scheduled-runs %} - -### `allow` - -{% data reusables.dependabot.default-dependencies-allow-ignore %} - -Use the `allow` option to customize which dependencies are updated. This applies to both version and security updates. You can use the following options: - -* `dependency-name`: Use to allow updates for dependencies with matching names, optionally using `*` to match zero or more characters. - * For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId`; for example: `org.kohsuke:github-api`. - * For Docker image tags, the format is the full name of the repository; for example, for an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`. - -* `dependency-type`: Use to allow updates for dependencies of specific types. - - | Dependency types | Supported by package managers | Allow updates | - |------------------|-------------------------------|--------| - | `direct` | All | All explicitly defined dependencies. | - | `indirect` | `bundler`, `pip`, `composer`, `cargo`, `gomod` | Dependencies of direct dependencies (also known as sub-dependencies, or transient dependencies).| - | `all` | All | All explicitly defined dependencies. For `bundler`, `pip`, `composer`, `cargo`, `gomod`, also the dependencies of direct dependencies.| - | `production` | `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only dependencies in the "Production dependency group". | - | `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only dependencies in the "Development dependency group". | - -```yaml -# Use `allow` to specify which dependencies to maintain - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow updates for Lodash - - dependency-name: "lodash" - # Allow updates for React and any packages starting "react" - - dependency-name: "react*" - - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow both direct and indirect updates for all packages - - dependency-type: "all" - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - allow: - # Allow only direct updates for - # Django and any packages starting "django" - - dependency-name: "django*" - dependency-type: "direct" - # Allow only production updates for Sphinx - - dependency-name: "sphinx" - dependency-type: "production" -``` - -### `assignees` - -Use `assignees` to specify individual assignees for all pull requests raised for a package manager. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify assignees for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Add assignees - assignees: - - "octocat" -``` - -### `commit-message` - -By default, {% data variables.product.prodname_dependabot %} attempts to detect your commit message preferences and use similar patterns. Use the `commit-message` option to specify your preferences explicitly. This setting also impacts the titles of pull requests. - -We populate the titles of pull requests based on the commit messages, whether explicitly set or auto-detected from the repository history. - -Supported options - -> [!NOTE] -> The `prefix` and the `prefix-development` options have a 50-character limit. - -* `prefix` specifies a prefix for all commit messages and it will also be added to the start of the PR title. - When you specify a prefix for commit messages, {% data variables.product.prodname_dotcom %} will automatically add a colon between the defined prefix and the commit message provided the defined prefix ends with a letter, number, closing parenthesis, or closing bracket. This means that, for example, if you end the prefix with a whitespace, there will be no colon added between the prefix and the commit message. - The code snippet below provides examples of both in the same configuration file. - -* `prefix-development` specifies a separate prefix for all commit messages that update dependencies in the Development dependency group. When you specify a value for this option, the `prefix` is used only for updates to dependencies in the Production dependency group. This is supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. -* `include: "scope"` specifies that any prefix is followed by the type of the dependencies (`deps` or `deps-dev`) updated in the commit. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Customize commit messages - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - commit-message: - # Prefix all commit messages with "npm: " - prefix: "npm" - - - package-ecosystem: "docker" - directory: "/" - schedule: - interval: "weekly" - commit-message: - # Prefix all commit messages with "[docker] " (no colon, but a trailing whitespace) - prefix: "[docker] " - - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - # Prefix all commit messages with "Composer" plus its scope, that is, a - # list of updated dependencies - commit-message: - prefix: "Composer" - include: "scope" - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Include a list of updated dependencies - # with a prefix determined by the dependency group - commit-message: - prefix: "pip prod" - prefix-development: "pip dev" -``` - -If you use the same configuration as in the example above, bumping the `requests` library in the `pip` development dependency group will generate a commit message of: - - `pip dev: bump requests from 1.0.0 to 1.0.1` - -{% ifversion dependabot-version-updates-groups %} - -### `groups` - -{% ifversion dependabot-grouped-security-updates-config %}{% data reusables.dependabot.dependabot-security-updates-groups-supported %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} - -{% data reusables.dependabot.dependabot-version-updates-groups-about %} - -{% data reusables.dependabot.dependabot-version-updates-groups-semver %} - -{% data reusables.dependabot.dependabot-version-updates-supported-options-for-groups %} - -{% ifversion dependabot-grouped-security-updates-config %} -The `applies-to` key is used to specify whether a set of grouping rules is intended for version updates or security updates. Using the `applies-to` key is optional. If the `applies-to` key is absent from a set of grouping rules, it defaults to `version-updates` for backwards compatibility. You cannot apply a single grouping set of rules to both version updates and security updates. Instead, if you want to group both version updates and security updates using the same criteria, you must define two, separately named, grouping sets of rules. To do this, you can copy the group configuration block for the ecosystem and directory, and name each set of rules differently. -{% endif %} - -{% data reusables.dependabot.dependabot-version-updates-groups-match-first %} - -If a dependency doesn't belong to any group, {% data variables.product.prodname_dependabot %} will continue to raise single pull requests to update the dependency to its latest version as normal. {% data variables.product.prodname_dotcom %} reports in the logs if a group is empty. For more information, see [{% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-fails-to-group-a-set-of-dependencies-into-a-single-pull-request). - -When a scheduled update runs, {% data variables.product.prodname_dependabot %} will refresh pull requests for grouped updates using the following rules: -* If all the same dependencies need to be updated to the same versions, {% data variables.product.prodname_dependabot %} will rebase the branch. -* If all the same dependencies need to be updated, but a newer version has become available for one (or more) of the dependencies, {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. -* If the dependencies to be updated have changed - for example, if another dependency in the group now has an update available - {% data variables.product.prodname_dependabot %} will close the pull request and create a new one. - -You can also manage pull requests for grouped version updates and security updates using comment commands, which are short comments you can make on a pull request to give instructions to {% data variables.product.prodname_dependabot %}. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands). - -{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} - -{% ifversion dependabot-grouped-security-updates-config %} - -{% data reusables.dependabot.multidirectory-vs-pr-grouping %} For more information about multidirectory support, see [`directories`](#directories). - -{% endif %} - -{% endif %} - -### `ignore` - -{% data reusables.dependabot.default-dependencies-allow-ignore %} - -Dependencies can be ignored either by adding them to `ignore` or by using the `@dependabot ignore` command on a pull request opened by {% data variables.product.prodname_dependabot %}. - -> [!WARNING] -> * We recommend you do _not_ use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. This may work for some ecosystems but we have no means of knowing whether package managers require access to all dependencies to be able to successfully perform updates, which makes this method unreliable. The supported way to handle private dependencies is to give {% data variables.product.prodname_dependabot %} access to private registries or private repositories. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). -> * For {% data variables.product.prodname_actions %} and Docker, you may use `ignore` to prevent {% data variables.product.prodname_dependabot %} from accessing private registries. - -#### Creating `ignore` conditions from `@dependabot ignore` - -Dependencies ignored by using the `@dependabot ignore` command are stored centrally for each package manager. If you start ignoring dependencies in the `dependabot.yml` file, these existing preferences are considered alongside the `ignore` dependencies in the configuration. - -You can check whether a repository has stored `ignore` preferences by searching the repository for `"@dependabot ignore" in:comments`, or by using the `@dependabot show DEPENDENCY_NAME ignore conditions` comment command. If you wish to unblock updates for a dependency ignored this way, re-open the pull request. This clears the `ignore` conditions that were set when the pull request was closed and resumes those {% data variables.product.prodname_dependabot %} updates for the dependency. To update the dependency to a newer version, merge the pull request. {% ifversion dependabot-version-updates-groups %}In pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use the `@dependabot unignore` commands to clear `ignore` settings for dependencies.{% endif %} - -For more information about the `@dependabot ignore` commands, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). - -#### Specifying dependencies and versions to ignore - -You can use the `ignore` option to customize which dependencies are updated. The `ignore` option supports the following options. - -| Option | Description | -|--------|-------------| -|dependency-name | Use to ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters.
For Java dependencies, the format of the `dependency-name` attribute is: `groupId:artifactId` (for example: `org.kohsuke:github-api`).
To prevent {% data variables.product.prodname_dependabot %} from automatically updating TypeScript type definitions from DefinitelyTyped, use `@types/*`. | -| `versions` | Use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager.
For example, for npm, use `^1.0.0`; for Bundler, use `~> 2.0`; for Docker, use Ruby version syntax; for NuGet, use `7.*`. | -| update-types | Use to ignore types of updates, such as semver `major`, `minor`, or `patch` updates on version updates (for example: `version-update:semver-patch` will ignore patch updates). You can combine this with `dependency-name: "*"` to ignore particular `update-types` for all dependencies.
Currently, `version-update:semver-major`, `version-update:semver-minor`, and `version-update:semver-patch` are the only supported options. | - -When used alone, the `ignore.versions` key affects both {% data variables.product.prodname_dependabot %} updates, but the `ignore.update-types` key affects only {% data variables.product.prodname_dependabot_version_updates %}. - -However, if `versions` and `update-types` are used together in the same `ignore` rule, both {% data variables.product.prodname_dependabot %} updates are affected, unless the configuration uses `target-branch` to check for version updates on a non-default branch. - -```yaml -# Use `ignore` to specify dependencies that should not be updated - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - ignore: - - dependency-name: "express" - # For Express, ignore all Dependabot updates for version 4 and 5 - versions: ["4.x", "5.x"] - # For Lodash, ignore all updates - - dependency-name: "lodash" - # For AWS SDK, ignore all patch updates for version updates only - - dependency-name: "aws-sdk" - update-types: ["version-update:semver-patch"] - - package-ecosystem: 'github-actions' - directory: '/' - schedule: - interval: 'weekly' - ignore: - - dependency-name: 'actions/checkout' - # For GitHub Actions, ignore all updates greater than or equal to version 3 - versions: '>= 3' -``` - -> [!NOTE] -> {% data variables.product.prodname_dependabot %} can only run version updates on manifest or lock files if it can access all of the dependencies in the file, even if you add inaccessible dependencies to the `ignore` option of your configuration file. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-cant-resolve-your-dependency-files). - -> [!NOTE] -> For the `pub` ecosystem, {% data variables.product.prodname_dependabot %} won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available. - -The following examples show how `ignore` can be used to customize which dependencies are updated. - -##### Ignore updates beyond a specific version - - ```yaml - ignore: - - dependency-name: "lodash:*" - versions: [ ">=1.0.0" ] - ``` - -##### Ignore updates beyond a specific version - - ```yaml - ignore: - - dependency-name: "sphinx" - versions: [ "[1.1,)" ] - ``` - -##### Ignore patch updates - - ```yaml - ignore: - - dependency-name: "@types/node" - update-types: ["version-update:semver-patch"] - ``` - -##### Ignore updates for a specific version - - ```yaml - ignore: - - dependency-name: "django*" - versions: [ "11" ] - ``` - -### `insecure-external-code-execution` - -Package managers with the `package-ecosystem` values `bundler`, `mix`, and `pip` may execute external code in the manifest as part of the version update process. This might allow a compromised package to steal credentials or gain access to configured registries. When you add a [`registries`](#registries) setting within an `updates` configuration, {% data variables.product.prodname_dependabot %} automatically prevents external code execution, in which case the version update may fail. You can choose to override this behavior and allow external code execution for `bundler`, `mix`, and `pip` package managers by setting `insecure-external-code-execution` to `allow`. - -{% raw %} - -```yaml -# Allow external code execution when updating dependencies from private registries - -version: 2 -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} -updates: - - package-ecosystem: "bundler" - directory: "/rubygems-server" - insecure-external-code-execution: allow - registries: "*" - schedule: - interval: "monthly" -``` - -{% endraw %} - -If you define a `registries` setting to allow {% data variables.product.prodname_dependabot %} to access a private package registry, and you set `insecure-external-code-execution` to `allow` in the same `updates` configuration, external code execution that occurs will only have access to the package managers in the registries associated with that `updates`setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. - -In this example, the configuration file allows {% data variables.product.prodname_dependabot %} to access the `ruby-github` private package registry. In the same `updates`setting, `insecure-external-code-execution`is set to `allow`, which means that the code executed by dependencies will only access the `ruby-github` registry, and not the `dockerhub` registry. - -{% raw %} - -```yaml -# Using `registries` in conjunction with `insecure-external-code-execution:allow` -# in the same `updates` setting - -version: 2 -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - dockerhub: - type: docker-registry - url: registry.hub.docker.com - username: octocat - password: ${{secrets.DOCKERHUB_PASSWORD}} -updates: - - package-ecosystem: "bundler" - directory: "/rubygems-server" - insecure-external-code-execution: allow - registries: - - ruby-github # only access to registries associated with this ecosystem/directory - schedule: - interval: "monthly" -``` - -{% endraw %} - -You can explicitly deny external code execution, regardless of whether there is a `registries` setting for this update configuration, by setting `insecure-external-code-execution` to `deny`. - -### `labels` - -{% data reusables.dependabot.default-labels %} - -Use `labels` to override the default labels and specify alternative labels for all pull requests raised for a package manager. If any of these labels is not defined in the repository, it is ignored. -To disable all labels, including the default labels, use `labels: [ ]`. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify labels for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Specify labels for npm pull requests - labels: - - "npm" - - "dependencies" -``` - -### `milestone` - -Use `milestone` to associate all pull requests raised for a package manager with a milestone. You need to specify the numeric identifier of the milestone and not its label. If you view a milestone, the final part of the page URL, after `milestone`, is the identifier. For example: `https://github.com///milestone/3`. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify a milestone for pull requests - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Associate pull requests with milestone "4" - milestone: 4 -``` - -### `open-pull-requests-limit` - -By default, {% data variables.product.prodname_dependabot %} opens a maximum of five pull requests for version updates. Once there are five open pull requests from {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_dependabot %} will not open any new requests until some of those open requests are merged or closed. Use `open-pull-requests-limit` to change this limit. This also provides a simple way to temporarily disable version updates for a package manager. - -This option has no impact on security updates, which have a separate, internal limit of ten open pull requests. - -```yaml -# Specify the number of open pull requests allowed - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Disable version updates for npm dependencies - open-pull-requests-limit: 0 - - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Allow up to 10 open pull requests for pip dependencies - open-pull-requests-limit: 10 -``` - -### `pull-request-branch-name.separator` - -{% data variables.product.prodname_dependabot %} generates a branch for each pull request. Each branch name includes `dependabot`, and the package manager and dependency that are updated. By default, these parts are separated by a `/` symbol, for example: `dependabot/npm_and_yarn/next_js/acorn-6.4.1`. - -Use `pull-request-branch-name.separator` to specify a different separator. This can be one of: `"-"`, `_` or `/`. The hyphen symbol must be quoted because otherwise it's interpreted as starting an empty YAML list. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify a different separator for branch names - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - pull-request-branch-name: - # Separate sections of the branch name with a hyphen - # for example, `dependabot-npm_and_yarn-next_js-acorn-6.4.1` - separator: "-" -``` - -### `rebase-strategy` - -By default, {% data variables.product.prodname_dependabot %} automatically rebases open pull requests when it detects any changes to the pull request. Use `rebase-strategy` to disable this behavior. - -> [!NOTE] -> {% data reusables.dependabot.pull-requests-30-days-cutoff %} - -Available rebase strategies - -* `auto` to use the default behavior and rebase open pull requests when changes are detected. -* `disabled` to disable automatic rebasing. - -When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_dependabot %} attempts to rebase pull requests in the following cases. -* When you use {% data variables.product.prodname_dependabot_version_updates %}, for any open {% data variables.product.prodname_dependabot %} pull request when your schedule runs. -* When you reopen a closed {% data variables.product.prodname_dependabot %} pull request. -* When you change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file. For more information about this field, see [`target-branch`](#target-branch). -* When {% data variables.product.prodname_dependabot %} detects that a {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. - -When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. - -> [!NOTE] -> This behavior only applies to pull requests that go into conflict with the target branch. {% data variables.product.prodname_dependabot %} will keep rebasing (until 30 days after opening) pull requests opened prior to the `rebase-strategy` setting being changed, and pull requests that are part of a scheduled run. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Disable automatic rebasing - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Disable rebasing for npm pull requests - rebase-strategy: "disabled" -``` - -### `registries` - -To allow {% data variables.product.prodname_dependabot %} to access a private package registry when performing a version update, you must include a `registries` setting within the relevant `updates` configuration. - -{% data reusables.dependabot.dependabot-updates-registries %} - -For more information, see [Configuration options for private registries](#configuration-options-for-private-registries) below. - -{% data reusables.dependabot.advanced-private-registry-config-link %} - -To allow {% data variables.product.prodname_dependabot %} to use `bundler`, `mix`, and `pip` package managers to update dependencies in private registries, you can choose to allow external code execution. For more information, see [`insecure-external-code-execution`](#insecure-external-code-execution) above. - -```yaml -# Allow {% data variables.product.prodname_dependabot %} to use one of the two defined private registries -# when updating dependency versions for this ecosystem - -{% raw %} -version: 2 -registries: - maven-github: - type: maven-repository - url: https://maven.pkg.github.com/octocat - username: octocat - password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} - npm-npmjs: - type: npm-registry - url: https://registry.npmjs.org - username: octocat - password: ${{secrets.MY_NPM_PASSWORD}} -updates: - - package-ecosystem: "gitsubmodule" - directory: "/" - registries: - - maven-github - schedule: - interval: "monthly" -{% endraw %} -``` - -### `reviewers` - -Use `reviewers` to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager. You must use the full team name, including the organization, as if you were @mentioning the team. - -{% data reusables.dependabot.option-affects-security-updates %} - -```yaml -# Specify reviewers for pull requests - -version: 2 -updates: - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Add reviewers - reviewers: - - "octocat" - - "my-username" - - "my-org/python-team" -``` - -### `schedule.day` - -When you set a `weekly` update schedule, by default, {% data variables.product.prodname_dependabot %} checks for new versions on Monday at a random set time for the repository. Use `schedule.day` to specify an alternative day to check for updates. - -Supported values - -* `monday` -* `tuesday` -* `wednesday` -* `thursday` -* `friday` -* `saturday` -* `sunday` - -```yaml -# Specify the day for weekly checks - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates on Sundays - day: "sunday" -``` - -### `schedule.time` - -By default, {% data variables.product.prodname_dependabot %} checks for new versions at a random set time for the repository. Use `schedule.time` to specify an alternative time of day to check for updates (format: `hh:mm`). - -```yaml -# Set a time for checks -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates at 9am UTC - time: "09:00" -``` - -### `schedule.timezone` - -By default, {% data variables.product.prodname_dependabot %} checks for new versions at a random set time for the repository. Use `schedule.timezone` to specify an alternative time zone. The time zone identifier must be from the Time Zone database maintained by [iana](https://www.iana.org/time-zones). For more information, see [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). - -```yaml -# Specify the timezone for checks - -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - time: "09:00" - # Use Japan Standard Time (UTC +09:00) - timezone: "Asia/Tokyo" -``` - -### `target-branch` - -By default, {% data variables.product.prodname_dependabot %} checks for manifest files on the default branch and raises pull requests for version updates against this branch. Use `target-branch` to specify a different branch for manifest files and for pull requests. When you use this option, the settings for this package manager will no longer affect any pull requests raised for security updates. - -```yaml -# Specify a non-default branch for pull requests for pip - -version: 2 -updates: - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "weekly" - # Raise pull requests for version updates - # to pip against the `develop` branch - target-branch: "develop" - # Labels on pull requests for version updates only - labels: - - "pip dependencies" - - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Check for npm updates on Sundays - day: "sunday" - # Labels on pull requests for security and version updates - labels: - - "npm dependencies" -``` - -### `vendor` - -Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them. Don't use this option if you're using `gomod` as {% data variables.product.prodname_dependabot %} automatically detects vendoring for this tool. - -```yaml -# Configure version updates for both dependencies defined in manifests and vendored dependencies - -version: 2 -updates: - - package-ecosystem: "bundler" - # Raise pull requests to update vendored dependencies that are checked in to the repository - vendor: true - directory: "/" - schedule: - interval: "weekly" -``` - -{% data variables.product.prodname_dependabot %} only updates the vendored dependencies located in specific directories in a repository. - -| Package manager | Required file path for vendored dependencies | More information | - |------------------|-------------------------------|--------| - | `bundler` | The dependencies must be in the _vendor/cache_ directory.
Other file paths are not supported. | [`bundle cache` documentation](https://bundler.io/man/bundle-cache.1.html) | - | `gomod` | No path requirement (dependencies are usually located in the _vendor_ directory) | [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor) | - -### `versioning-strategy` - -When {% data variables.product.prodname_dependabot %} edits a manifest file to update a version, there are several different potential versioning strategies: - -| Option | Action | -|--------|--------| -| `auto` | Try to differentiate between apps and libraries. Use `increase` for apps and `widen` for libraries.| -| `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | -| `increase-if-necessary` | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint. | -| `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | -| `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. | -| N/A | Some package managers do not yet support configuring the `versioning-strategy` parameter. | - -The following table shows an example of how `versioning-strategy` can be used. - -| Current constraint | Current version | New version | Strategy | New constraint | -|--------------------|-----------------|-------------|----------|----------------| -| ^1.0.0 | 1.0.0 | 1.2.0 | `widen` | ^1.0.0 | -| ^1.0.0 | 1.0.0 | 1.2.0 | `increase` | ^1.2.0 | -| ^1.0.0 | 1.0.0 | 1.2.0 | `increase-if-necessary` | ^1.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `widen` | >=1.0.0 <3.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `increase` | ^2.0.0 | -| ^1.0.0 | 1.0.0 | 2.0.0 | `increase-if-necessary` | ^2.0.0 | - -Use the `versioning-strategy` option to change this behavior for supported package managers. - -{% data reusables.dependabot.option-affects-security-updates %} - -Available update strategies: - -| Ecosystem | Supported versioning strategies | Default strategy | -|-----------|---------------------------------|------------------| -| `bundler` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only` | `auto` | -| `cargo` | `auto`, `lockfile-only` | `auto` | -| `composer` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only`, `widen` | `auto` | -| `docker` | N/A | N/A | -| `github-actions` | N/A | N/A | -| `gitsubmodule` | N/A | N/A | -| `gomod` | N/A | N/A | -| `gradle` | N/A | N/A | -| `maven` | N/A | N/A | -| `mix` | `auto`, `lockfile-only` | `auto` | -| `npm` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only`, `widen` | `auto` | -| `nuget` | N/A | N/A | -| `pip` | `auto`, `increase`, `increase-if-necessary`, `lockfile-only` | `auto` | -| `pub` | `auto`, `increase`, `increase-if-necessary`, `widen` | `auto` | -| `terraform` | N/A | N/A | - -> [!NOTE] -> `N/A` indicates that the package manager does not yet support configuring the `versioning-strategy` parameter. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/. - -```yaml -# Example configuration for customizing the manifest version strategy - -version: 2 -updates: - - package-ecosystem: "composer" - directory: "/" - schedule: - interval: "weekly" - # Increase the version requirements for Composer only when required - versioning-strategy: increase-if-necessary -``` - -{% ifversion dependabot-updates-supported-versioning-tags %} - -### Versioning tags - -* Represent stages in the software release lifecycle, such as alpha, beta, and stable versions. -* Allow publishers to distribute their packages more effectively. -* Indicate the stability of a version and communicate what users should expect in terms of features and stability. - -{% data reusables.dependabot.dependabot-updates-supported-versioning-tags %} - -#### Versioning tag glossary - -* **`alpha`:** Early version, may be unstable and have incomplete features. -* **`beta`:** More stable than alpha but may still have bugs. -* **`canary`:** Regularly updated pre-release version for testing. -* **`dev`:** Represents development versions. -* **`experimental`:** Versions with experimental features. -* **`latest`:** The latest stable release. -* **`legacy`:** Older or deprecated versions. -* **`next`:** Upcoming release version. -* **`nightly`:** Versions built nightly; often includes the latest changes. -* **`rc`:** Release candidate, close to stable release. -* **`release`:** The official release version. -* **`stable`:** The most reliable, production-ready version. - -{% endif %} - -## Configuration options for private registries - -The top-level `registries` key is optional. It allows you to specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries. - -You can give {% data variables.product.prodname_dependabot %} access to private package registries hosted by GitLab or Bitbucket by specifying a `type` of `git`. For more information, see [`git`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git). -{% ifversion ghes %} - -> [!NOTE] -> Private registries behind firewalls on private networks are supported for the following ecosystems: -> -> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %} -> * Cargo{% endif %} -> * Docker -> * Gradle -> * Maven -> * Npm -> * NuGet{% ifversion dependabot-updates-pub-private-registry %} -> * Pub{% endif %} -> * Python -> * Yarn - -{% endif %} - -The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file. - -{% raw %} - -```yaml -# Minimal settings to update dependencies in one private registry - -version: 2 -registries: - dockerhub: # Define access for a private registry - type: docker-registry - url: registry.hub.docker.com - username: octocat - password: ${{secrets.DOCKERHUB_PASSWORD}} -updates: - - package-ecosystem: "docker" - directory: "/docker-registry/dockerhub" - registries: - - dockerhub # Allow version updates for dependencies in this registry - schedule: - interval: "monthly" -``` - -{% endraw %} - -{% data reusables.dependabot.dependabot-updates-registries-options %} - -You must provide the required settings for each configuration `type` that you specify. Some types allow more than one way to connect. The following sections provide details of the settings you should use for each `type`. - -{% data reusables.dependabot.advanced-private-registry-config-link %} - -{% ifversion dependabot-updates-cargo-private-registry-support %} - -### `cargo-registry` - -The `cargo-registry` type supports a token. - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% data reusables.dependabot.cargo-private-registry-config-example %} - -{% endif %} - -### `composer-repository` - -The `composer-repository` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - composer: - type: composer-repository - url: https://repo.packagist.com/example-company/ - username: octocat - password: ${{secrets.MY_PACKAGIST_PASSWORD}} -``` - -{% endraw %} - -### `docker-registry` - -{% data variables.product.prodname_dependabot %} works with any container registries that implement the OCI container registry spec. For more information, see [https://github.com/opencontainers/distribution-spec/blob/main/spec.md](https://github.com/opencontainers/distribution-spec/blob/main/spec.md). {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia. - -The `docker-registry` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - dockerhub: - type: docker-registry - url: https://registry.hub.docker.com - username: octocat - password: ${{secrets.MY_DOCKERHUB_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -The `docker-registry` type can also be used to pull from private Amazon ECR using static AWS credentials. - -{% raw %} - -```yaml -registries: - ecr-docker: - type: docker-registry - url: https://1234567890.dkr.ecr.us-east-1.amazonaws.com - username: ${{secrets.ECR_AWS_ACCESS_KEY_ID}} - password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}} - replaces-base: true -``` - -{% endraw %} - -### `git` - -The `git` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% raw %} - -```yaml -registries: - github-octocat: - type: git - url: https://github.com - username: x-access-token - password: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} -``` - -{% endraw %} - -### `hex-organization` - -The `hex-organization` type supports organization and key. - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - github-hex-org: - type: hex-organization - organization: github - key: ${{secrets.MY_HEX_ORGANIZATION_KEY}} -``` - -{% endraw %} - -### `hex-repository` - -The `hex-repository` type supports an authentication key. - -`repo` is a required field, which must match the name of the repository used in your dependency declaration. - -The `public-key-fingerprint` is an optional configuration field, representing the fingerprint of the public key for the Hex repository. `public-key-fingerprint` is used by Hex to establish trust with the private repository. The `public-key-fingerprint` field can be either listed in plaintext or stored as a {% data variables.product.prodname_dependabot %} secret. - -{% raw %} - -```yaml -registries: - github-hex-repository: - type: hex-repository - repo: private-repo - url: https://private-repo.example.com - auth-key: ${{secrets.MY_AUTH_KEY}} - public-key-fingerprint: ${{secrets.MY_PUBLIC_KEY_FINGERPRINT}} -``` - -{% endraw %} - -### `maven-repository` - -The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - maven-artifactory: - type: maven-repository - url: https://acme.jfrog.io/artifactory/my-maven-registry - username: octocat - password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} -``` - -{% endraw %} - -### `npm-registry` - -The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. - -> [!NOTE] -> When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path. - -{% raw %} - -```yaml -registries: - npm-npmjs: - type: npm-registry - url: https://registry.npmjs.org - username: octocat - password: ${{secrets.MY_NPM_PASSWORD}} # Must be an unencoded password - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - npm-github: - type: npm-registry - url: https://npm.pkg.github.com - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation. - -### `nuget-feed` - -The `nuget-feed` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% raw %} - -```yaml -registries: - nuget-example: - type: nuget-feed - url: https://nuget.example.com/v3/index.json - username: octocat@example.com - password: ${{secrets.MY_NUGET_PASSWORD}} -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - nuget-azure-devops: - type: nuget-feed - url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json - username: octocat@example.com - password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} -``` - -{% endraw %} - -{% ifversion dependabot-updates-pub-private-registry %} - -### `pub-repository` - -The `pub-repository` type supports a URL and a token. - -{% raw %} - -```yaml -registries: - my-pub-registry: - type: pub-repository - url: https://example-private-pub-repo.dev/optional-path - token: ${{secrets.MY_PUB_TOKEN}} -updates: - - package-ecosystem: "pub" - directory: "/" - schedule: - interval: "weekly" - registries: - - my-pub-registry -``` - -{% endraw %} - -{% endif %} - -### `python-index` - -The `python-index` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - python-example: - type: python-index - url: https://example.com/_packaging/my-feed/pypi/example - username: octocat - password: ${{secrets.MY_BASIC_AUTH_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - python-azure: - type: python-index - url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example - username: octocat@example.com - password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -### `rubygems-server` - -The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %} - -{% data reusables.dependabot.dependabot-updates-path-match %} - -{% raw %} - -```yaml -registries: - ruby-example: - type: rubygems-server - url: https://rubygems.example.com - username: octocat@example.com - password: ${{secrets.MY_RUBYGEMS_PASSWORD}} - replaces-base: true -``` - -{% endraw %} - -{% raw %} - -```yaml -registries: - ruby-github: - type: rubygems-server - url: https://rubygems.pkg.github.com/octocat/github_api - token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} - replaces-base: true -``` - -{% endraw %} - -### `terraform-registry` - -The `terraform-registry` type supports a token. - -{% raw %} - -```yaml -registries: - terraform-example: - type: terraform-registry - url: https://terraform.example.com - token: ${{secrets.MY_TERRAFORM_API_TOKEN}} -``` - -{% endraw %} - -## Enabling support for {% data variables.release-phases.public_preview %}-level ecosystems - -### `enable-beta-ecosystems` - -By default, {% data variables.product.prodname_dependabot %} updates the dependency manifests and lock files only for fully supported ecosystems. Use the `enable-beta-ecosystems` flag to opt in to updates for ecosystems that are not yet generally available. - - -There are currently no ecosystems in {% data variables.release-phases.public_preview %}. - -```yaml -# Configure {% data variables.release-phases.public_preview %} ecosystem - -version: 2 -enable-beta-ecosystems: true -updates: - - package-ecosystem: "beta-ecosystem" - directory: "/" - schedule: - interval: "weekly" -``` diff --git a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md index 8887c350bb8e..d2b5c20ffd1f 100644 --- a/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md +++ b/content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md @@ -27,11 +27,11 @@ shortTitle: Configure version updates You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a `dependabot.yml` configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). -{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates). +{% data reusables.dependabot.initial-updates %} {% ifversion dependabot-version-updates-groups %}For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} {% data reusables.dependabot.version-updates-skip-scheduled-runs %} -By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow). +By default only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). @@ -61,24 +61,23 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c ``` 1. Add a `version`. This key is mandatory. The file must start with `version: 2`. -1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) in "Configuration options for the `dependabot.yml` file." -1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. +1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). +1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [About the dependabot.yml file](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#about-the-dependabotyml-file) in "{% data variables.product.prodname_dependabot %} options reference." 1. For each package manager, use: - * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in "Configuration options for the `dependabot.yml` file." - * `directory` to specify the location of the manifest or other definition files. For more information, see [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) in "Configuration options for the `dependabot.yml` file." - {% ifversion dependabot-updates-multidirectory-support %}- `directories` to specify the location of multiple manifest or other definition files. For more information, see [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) in "Configuration options for the `dependabot.yml` file."{% endif %} - * `schedule.interval` to specify how often to check for new versions. For more information, see [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) in "Configuration options for the `dependabot.yml` file." + * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem). + * {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` to specify the location of multiple manifest or other definition files.{% ifversion dependabot-updates-multidirectory-support %} For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).{% endif %} + * `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} ### Example `dependabot.yml` file -The example `dependabot.yml` file below configures version updates for two package managers: npm and Docker. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies. +The example `dependabot.yml` file below configures version updates for three package managers: npm, Docker, and {% data variables.product.prodname_actions %}. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies. -```yaml +```yaml copy # Basic `dependabot.yml` file with -# minimum configuration for two package managers +# minimum configuration for three package managers version: 2 updates: @@ -97,6 +96,14 @@ updates: # Check for updates once a week schedule: interval: "weekly" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + # Workflow files stored in the default location of `.github/workflows` + # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`. + directory: "/" + schedule: + interval: "weekly" ``` In the example above, if the Docker dependencies were very outdated, you might want to start with a `daily` schedule until the dependencies are up-to-date, and then drop back to a weekly schedule. @@ -118,7 +125,7 @@ After you enable version updates, the **Dependabot** tab in the dependency graph ![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png) -For information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). +For information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates). ## Disabling {% data variables.product.prodname_dependabot_version_updates %} @@ -165,4 +172,4 @@ updates: update-types: ["version-update:semver-patch"] ``` -For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore). diff --git a/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md b/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md new file mode 100644 index 000000000000..e160cd1f16b4 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated.md @@ -0,0 +1,297 @@ +--- +title: Controlling which dependencies are updated by Dependabot +intro: 'Learn how to configure your `dependabot.yml` file so that {% data variables.product.prodname_dependabot %} automatically updates the packages you specify, in the way you define.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Control dependency update +--- + +You can customize your {% data variables.product.prodname_dependabot %} configuration to suit your needs, by adding options to your `dependabot.yml` file. For example, you can make sure that {% data variables.product.prodname_dependabot %} uses the correct package manifest files, and updates only the dependencies you want maintained. + +This article collates customization options you may find useful. + +{% ifversion dependabot-updates-multidirectory-support %} + +## Defining multiple locations for manifest files + +If you want to enable {% data variables.product.prodname_dependabot_version_updates %} for manifest files stored in more than one location, you can use `directories` in place of `directory`. For example, this configuration sets two different update schedules for manifest files stored in different directories. + +```yaml copy +# Specify the locations of the manifest files to update for each package manager +# using both `directories` and `directory` + +version: 2 +updates: + - package-ecosystem: "bundler" + # Update manifest files stored in these directories weekly + directories: + - "/frontend" + - "/backend" + - "/admin" + schedule: + interval: "weekly" + - package-ecosystem: "bundler" + # Update manifest files stored in the root directory daily + directory: "/" + schedule: + interval: "daily" +``` + +* To specify a range of directories using a pattern + + ```yaml copy + # Specify the root directory and directories that start with "lib-", + # using globbing, for locations of manifest files + + version: 2 + updates: + - package-ecosystem: "composer" + directories: + - "/" + - "/lib-*" + schedule: + interval: "weekly" + ``` + +* To specify manifests in the current directory and recursive subdirectories + + ```yaml copy + # Specify all directories from the current layer and below recursively, + # using globstar, for locations of manifest files + + version: 2 + updates: + - package-ecosystem: "composer" + directories: + - "**/*" + schedule: + interval: "weekly" + ``` + +{% endif %} + +## Ignoring specific dependencies + +If you are not ready to adopt changes from certain dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods. + +* Configure the `ignore` option for the dependency in your `dependabot.yml` file. + * **You can use this to ignore updates for specific dependencies, versions, and types of updates.** + * For more information, see `ignore` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--). +* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. + * **You can use comment commands to ignore updates for specific dependencies and versions.** + * For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + +Here are some examples showing how `ignore` can be used to customize which dependencies are updated. + +* To ignore updates beyond a specific version + + ```yaml copy + ignore: + - dependency-name: "lodash:*" + # Ignore versions of Lodash that are equal to or greater than 1.0.0 + versions: [ ">=1.0.0" ] + ``` + + ```yaml copy + ignore: + - dependency-name: "sphinx" + versions: [ "[1.1,)" ] + ``` + +* To ignore patch updates + + ```yaml copy + ignore: + - dependency-name: "@types/node" + # Ignore patch updates for Node + update-types: ["version-update:semver-patch"] + ``` + +* To ignore specific versions or version ranges, see [Ignoring specific versions or ranges of versions](#ignoring-specific-versions-or-ranges-of-versions). + +If you want to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request. + +{% ifversion dependabot-version-updates-groups %}For pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request: + +* Un-ignore a specific ignore condition +* Un-ignore a specific dependency +* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request + +{% ifversion dependabot-grouped-security-updates-config %}{% else %} + +> [!NOTE] +> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates. + +{% endif %} + +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).{% endif %} + +## Allowing specific dependencies to be updated + +You can use `allow` to tell {% data variables.product.prodname_dependabot %} about the dependencies you want to maintain. `allow` is usually used in conjunction with `ignore`. + +For more information, see `allow` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--). + +By default, {% data variables.product.prodname_dependabot %} creates version update pull requests only for the dependencies that are explicitly defined in a manifest (`direct` dependencies). This configuration uses `allow` to tell {% data variables.product.prodname_dependabot %} that we want it to maintain `all` types of dependency. That is, both the `direct` dependencies and their dependencies (also known as indirect dependencies, sub-dependencies, or transient dependencies). In addition, the configuration tells {% data variables.product.prodname_dependabot %} to ignore all dependencies with a name matching the pattern `org.xwiki.*` because we have a different process for maintaining them. + +> [!TIP] +> {% data variables.product.prodname_dependabot %} checks for all **allowed** dependencies, then filters out any **ignored** dependencies. If a dependency is matched by an **allow** and an **ignore** statement, then it is ignored. + +```yaml copy +version: 2 +registries: + # Helps find updates for non Maven Central dependencies + maven-xwiki-public: + type: maven-repository + url: https://nexus.xwiki.org/nexus/content/groups/public/ + username: "" + password: "" + # Required to resolve xwiki-common SNAPSHOT parent pom + maven-xwiki-snapshots: + type: maven-repository + url: https://maven.xwiki.org/snapshots + username: "" + password: "" +updates: + - package-ecosystem: "maven" + directory: "/" + registries: + - maven-xwiki-public + - maven-xwiki-snapshots + schedule: + interval: "weekly" + allow: + # Allow both direct and indirect updates for all packages. + - dependency-type: "all" + ignore: + # Ignore XWiki dependencies. We have a separate process for updating them + - dependency-name: "org.xwiki.*" + open-pull-requests-limit: 15 +``` + +## Ignoring specific versions or ranges of versions + +You can use `versions` in conjunction with `ignore` to ignore specific versions or ranges of versions. + +For more information, see `versions` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versions-ignore). + +* To ignore a specific version + + ```yaml copy + ignore: + - dependency-name: "django*" + # Ignore version 11 + versions: [ "11" ] + ``` + +* To ignore a range of versions + + ```yaml copy + ignore: + - dependency-name: "@types/node" + versions: ["15.x", "14.x", "13.x"] + - dependency-name: "xdg-basedir" + # 5.0.0 has breaking changes as they switch to named exports + # and convert the module to ESM + # We can't use it until we switch to ESM across the project + versions: ["5.x"] + - dependency-name: "limiter" + # 2.0.0 has breaking changes + # so we want to delay updating. + versions: ["2.x"] + ``` + +## Specifying the semantic versioning level to ignore + +You can specify one or more semantic versioning (SemVer) levels to ignore using `update-types`. + +For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-ignore). + +In this example, {% data variables.product.prodname_dependabot %} will ignore patch versions for Node. + +```yaml copy +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + ignore: + - dependency-name: "express" + # For Express, ignore all updates for version 4 and 5 + versions: ["4.x", "5.x"] + # For Lodash, ignore all updates + - dependency-name: "lodash" + - dependency-name: "@types/node" + # For Node types, ignore any patch versions + update-types: ["version-update:semver-patch"] +``` + +## Defining a versioning strategy + +By default, {% data variables.product.prodname_dependabot %} tries to increase the minimum version requirement for dependencies it identifies as apps, and widens the allowed version requirements to include both the new and old versions for dependencies it identifies as libraries. + +You can change this default strategy. For more information, see `versioning-strategy` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--). + +In this example, {% data variables.product.prodname_dependabot %} will increase the minimum version requirement to match the new version for both apps and libraries. + +```yaml copy +version: 2 +updates: + - package-ecosystem: npm + directory: "/" + schedule: + interval: daily + # Increase the minimum version for all npm dependencies + versioning-strategy: increase +``` + +In this example, {% data variables.product.prodname_dependabot %} will **only** increase the minimum version requirement if the original constraint does not allow the new version. + +```yaml copy +version: 2 +updates: +- package-ecosystem: pip + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 20 + rebase-strategy: "disabled" + # Increase the version requirements for npm + # only when required + versioning-strategy: increase-if-necessary +``` + +## Updating vendored dependencies + +You can instruct {% data variables.product.prodname_dependabot %} to vendor specific dependencies when updating them. + +{% data variables.product.prodname_dependabot %} automatically maintains vendored dependencies for Go modules, and you can configure Bundler to also update vendored dependencies. + +For more information, see `vendor` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor--). + +In this example, `vendor` is set to `true` for Bundler, which means that {% data variables.product.prodname_dependabot %} will also maintain dependencies for Bundler that are stored in the _vendor/cache_ directory in the repository. + +```yaml copy +version: 2 +updates: +- package-ecosystem: bundler + directory: "/" + # Vendoring Bundler + vendor: true + schedule: + interval: weekly + day: saturday + open-pull-requests-limit: 10 +``` diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md new file mode 100644 index 000000000000..2eee0768ca66 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md @@ -0,0 +1,248 @@ +--- +title: Customizing Dependabot pull requests to fit your processes +intro: 'Learn how to tailor your Dependabot pull requests to better suit your own internal workflows.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Customize Dependabot PRs +--- + +There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes. + +For example: +* To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem. +* To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. + +There are several different customization options which can all be used in combination, and tailored per package ecosystem. + +## Automatically adding reviewers and assignees + +By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. + +However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem. + +The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have: +* A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests. +* An individual ("`user-name`") automatically assigned to the pull requests. + +```yaml copy +# `dependabot.yml` file with +# reviews and an assignee for all npm pull requests + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Raise all npm pull requests with reviewers + reviewers: + - "my-org/team-name" + - "octocat" + # Raise all npm pull requests with assignees + assignees: + - "user-name" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--). + +## Labeling pull requests with custom labels + +{% data reusables.dependabot.default-labels %} + +You can use `labels` to override the default labels and specify your own custom labels per package ecosystem. This is useful if, for example, you want to: +* Use labels to assign a priority to certain pull requests. +* Use labels to trigger another workflow, such as automatically adding the pull request onto a project board. + +The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have custom labels. + +```yaml copy +# `dependabot.yml` file with +# customized npm configuration + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Raise all npm pull requests with custom labels + labels: + - "npm dependencies" + - "triage-board" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--). + +## Adding a prefix to commit messages + +By default, {% data variables.product.prodname_dependabot %} attempts to detect your commit message preferences and use similar patterns. In addition, {% data variables.product.prodname_dependabot %} populates the titles of pull requests based on the commit messages. + +You can specify your own prefix for {% data variables.product.prodname_dependabot %}'s commit messages (and pull request titles) for a specific package ecosystem. This can be useful if, for example, you're running automations that process commit messages or pull requests titles. + +To specify your preferences explicitly, use `commit-message` together with the following supported options: + +* `prefix`: + * Specifies a prefix for all commit messages. + * Prefix is also added to the start of the pull request title. +* `prefix-development`: + * Specifies a separate prefix for all commit messages that update development dependencies, as defined by the package manager or ecosystem. + * Supported for `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. +* `include: "scope"`: + * Specifies that any prefix is followed by the dependency types (`deps` or `deps-dev`) updated in the commit. + +The example below shows several different options, tailored per package ecosystem: + +```yaml copy +# Customize commit messages + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + commit-message: + # Prefix all commit messages with "npm: " + prefix: "npm" + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + commit-message: + # Prefix all commit messages with [docker] " (no colon, but a trailing whitespace) + prefix: [docker] " + + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "weekly" + # Prefix all commit messages with "Composer" plus its scope, that is, a + # list of updated dependencies + commit-message: + prefix: "Composer" + include: "scope" + + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + # Include a list of updated dependencies + # with a prefix determined by the dependency group + commit-message: + prefix: "pip prod" + prefix-development: "pip dev" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message--). + +## Associating pull requests with a milestone + +Milestones help you track the progress of groups of pull requests (or issues) towards a project goal or release. With {% data variables.product.prodname_dependabot %}, you can use the `milestone` option to associate pull requests for dependency updates with a specific milestone. + +You must specify the numeric identifier of the milestone and not its label. To find the numeric identifier, check the final part of the page URL, after `milestone`. For example, for `https://github.com///milestone/3`, "`3`" is the numeric identifier of the milestone. + +```yaml copy +# Specify a milestone for pull requests + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Associate pull requests with milestone "4" + milestone: 4 +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`milestones`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#milestones--) and [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/about-milestones). + +## Changing the separator in the pull request branch name + +{% data variables.product.prodname_dependabot %} generates a branch for each pull request. Each branch name includes `dependabot`, as well as the name of the package manager and the dependency to be updated. By default, these parts of the branch name are separated by a `/` symbol, for example: +* `dependabot/npm_and_yarn/next_js/acorn-6.4.1` + +To maintain supportability or consistency with your existing processes, you may need to ensure your branch names align with your team's existing conventions. In this case, you can use `pull-request-branch-name.separator` to specify a different separator, choosing either `_`, `/`, or `"-"`. + +In the below example, the npm configuration changes the default separator from `/` to `"-"`, so that it would appear as such: +* Default (`/`): `dependabot/npm_and_yarn/next_js/acorn-6.4.1` +* Customized (`"-"`): `dependabot-npm_and_yarn-next_js-acorn-6.4.1` + +Note that the hyphen symbol (`"-"`) must be surrounded by quotation marks so that it's not interpreted as starting an empty YAML list. + +```yaml copy +# Specify a different separator for branch names + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + pull-request-branch-name: + # Change the default separator (/) to a hyphen (-) + separator: "-" +``` + +{% data reusables.dependabot.option-affects-security-updates %} + +See also [`pull-request-branch-name.separator`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-name.separator--). + +## Targeting pull requests against a non-default branch + +By default, {% data variables.product.prodname_dependabot %} checks for manifest files on the default branch and raises pull requests for updates against the default branch. + +Generally, it makes most sense to keep {% data variables.product.prodname_dependabot %}'s checks and updates on the default branch. However, there may be some cases where you may need to specify a different target branch. If, for example, your team's processes require you to first test and validate updates on a non-production branch, you can use `target-branch` to specify a different branch for {% data variables.product.prodname_dependabot %} to raise pull requests against. + +>[!NOTE] +> {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If you use `target-branch`, then as a result, all configuration settings for that package manager will then _only_ apply to version updates, and not security updates. + +```yaml copy +# Specify a non-default branch for pull requests for pip + +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + # Raise pull requests for version updates + # to pip against the `develop` branch + target-branch: "develop" + # Labels on pull requests for version updates only + labels: + - "pip dependencies" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Check for npm updates on Sundays + day: "sunday" + # Labels on pull requests for security and version updates + labels: + - "npm dependencies" +``` + +See also [`target-branch`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#target-branch--). diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md deleted file mode 100644 index dbef8ac1f814..000000000000 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates.md +++ /dev/null @@ -1,194 +0,0 @@ ---- -title: Customizing dependency updates -intro: 'You can customize how {% data variables.product.prodname_dependabot %} maintains your dependencies.' -permissions: '{% data reusables.permissions.dependabot-yml-configure %}' -redirect_from: - - /github/administering-a-repository/customizing-dependency-updates - - /code-security/supply-chain-security/customizing-dependency-updates - - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates -versions: - fpt: '*' - ghec: '*' - ghes: '*' -type: how_to -topics: - - Dependabot - - Version updates - - Security updates - - Repositories - - Dependencies - - Pull requests - - Vulnerabilities -shortTitle: Customize updates ---- - -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About customizing dependency updates - -After you've enabled version updates, you can customize how {% data variables.product.prodname_dependabot %} maintains your dependencies by adding further options to the `dependabot.yml` file. For example, you could: - -* Specify which day of the week to open pull requests for version updates: `schedule.day` -* Set reviewers, assignees, and labels for each package manager: `reviewers`, `assignees`, and `labels`{%- ifversion dependabot-version-updates-groups %} -* Create groups of dependencies (per package ecosystem), so that {% data variables.product.prodname_dependabot %} updates the group of dependencies in a single pull request: `groups`{% endif %} -* Define a versioning strategy for changes to each manifest file: `versioning-strategy` -* Change the maximum number of open pull requests for version updates from the default of 5: `open-pull-requests-limit` -* Open pull requests for version updates to target a specific branch, instead of the default branch: `target-branch` - -For more information about the configuration options, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). - -When you update the `dependabot.yml` file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates). - -## Impact of configuration changes on security updates - -If you customize the `dependabot.yml` file, you may notice some changes to the pull requests raised for security updates. These pull requests are always triggered by a security advisory for a dependency, rather than by the {% data variables.product.prodname_dependabot %} schedule. However, they inherit relevant configuration settings from the `dependabot.yml` file unless you specify a different target branch for version updates. - -For an example, see [Setting custom labels](#setting-custom-labels) below. - -{% ifversion dependabot-grouped-security-updates-config %} - -> [!NOTE] -> If you use grouped security updates, the grouped pull requests will also inherit non-group configuration settings from the `dependabot.yml` file, and any group rules specified with `applies-to: security-updates` will apply. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). - -{% endif %} - -## Modifying scheduling - -When you set a `daily` update schedule, by default, {% data variables.product.prodname_dependabot %} checks for new versions at 05:00 UTC. You can use `schedule.time` to specify an alternative time of day to check for updates (format: `hh:mm`). - -The example `dependabot.yml` file below expands the npm configuration to specify when {% data variables.product.prodname_dependabot %} should check for version updates to dependencies. - -```yaml -# `dependabot.yml` file with -# customized schedule for version updates - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - # Check the npm registry for updates at 2am UTC - schedule: - interval: "daily" - time: "02:00" -``` - -## Setting reviewers and assignees - -By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. - -You can use `reviewers` and `assignees` to specify reviewers and assignees for all pull requests raised for a package manager. When you specify a team, you must use the full team name, as if you were @mentioning the team (including the organization). - -The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have two reviewers and one assignee. - -```yaml -# `dependabot.yml` file with -# reviews and an assignee for all npm pull requests - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Raise all npm pull requests with reviewers - reviewers: - - "my-org/team-name" - - "octocat" - # Raise all npm pull requests with an assignee - assignees: - - "user-name" -``` - -## Setting custom labels - -{% data reusables.dependabot.default-labels %} - -You can use `labels` to override the default labels and specify alternative labels for all pull requests raised for a package manager. You can't create new labels in the `dependabot.yml` file, so the alternative labels must already exist in the repository. - -The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm will have custom labels. It also changes the Docker configuration to check for version updates against a custom branch and to raise pull requests with custom labels against that custom branch. The changes to Docker will not affect security update pull requests because security updates are always made against the default branch. - -> [!NOTE] -> The new `target-branch` must contain a Dockerfile to update, otherwise this change will have the effect of disabling version updates for Docker. - -```yaml -# `dependabot.yml` file with -# customized npm configuration - -version: 2 -updates: - # Keep npm dependencies up to date - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - # Raise all npm pull requests with custom labels - labels: - - "npm dependencies" - - "triage-board" - - # Keep Docker dependencies up to date - - package-ecosystem: "docker" - directory: "/" - schedule: - interval: "weekly" - # Raise pull requests for Docker version updates - # against the "develop" branch. The Docker configuration - # no longer affects security update pull requests. - target-branch: "develop" - # Use custom labels on pull requests for Docker version updates - labels: - - "Docker dependencies" - - "triage-board" -``` - -{% ifversion dependabot-version-updates-groups %} - -## Grouping {% data variables.product.prodname_dependabot_updates %} into one pull request - -{% data reusables.dependabot.dependabot-version-updates-groups-about %} - -{% data reusables.dependabot.dependabot-version-updates-groups-semver %} - -{% data reusables.dependabot.dependabot-version-updates-groups-match-first %} - -{% ifversion dependabot-grouped-security-updates-config %}{% data reusables.dependabot.dependabot-security-updates-groups-supported %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} - -You must configure groups per package ecosystem. - -### Example configurations for `groups` - -{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} - -For more information about configuring dependency groups in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). - -{% endif %} - -## Ignoring specific dependencies for {% ifversion dependabot-grouped-security-updates-config %}{% data variables.product.prodname_dependabot_updates %}{% else %}{% data variables.product.prodname_dependabot_version_updates %}{% endif %} - -If you are not ready to adopt changes from dependencies in your project, you can configure {% data variables.product.prodname_dependabot %} to ignore those dependencies when it opens pull requests for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can do this using one of the following methods. - -* Configure the `ignore` option for the dependency in your `dependabot.yml` file. You can use this to ignore updates for specific dependencies, versions, and types of updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). -* Use `@dependabot ignore` comment commands on a {% data variables.product.prodname_dependabot %} pull request for version updates{% ifversion dependabot-grouped-security-updates-config %} and security updates{% endif %}. You can use comment commands to ignore updates for specific dependencies and versions. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). - -If you would like to un-ignore a dependency or ignore condition, you can delete the ignore conditions from the `dependabot.yml` file or reopen the pull request. - -{% ifversion dependabot-version-updates-groups %}For pull requests for grouped {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates, you can also use `@dependabot unignore` comment commands. The `@dependabot unignore` comment commands enable you to do the following by commenting on a {% data variables.product.prodname_dependabot %} pull request: - -* Un-ignore a specific ignore condition -* Un-ignore a specific dependency -* Un-ignore all ignore conditions for all dependencies in a {% data variables.product.prodname_dependabot %} pull request - -{% ifversion dependabot-grouped-security-updates-config %}{% else %} - -> [!NOTE] -> The `@dependabot unignore` comment commands only work on pull requests for grouped version updates. - -{% endif %} - -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands).{% endif %} - -## More examples - -For more examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). diff --git a/content/code-security/dependabot/dependabot-version-updates/index.md b/content/code-security/dependabot/dependabot-version-updates/index.md index 471ac2be6bb0..366ec0da3382 100644 --- a/content/code-security/dependabot/dependabot-version-updates/index.md +++ b/content/code-security/dependabot/dependabot-version-updates/index.md @@ -5,6 +5,10 @@ allowTitleToDifferFromFilename: true redirect_from: - /github/administering-a-repository/keeping-your-dependencies-updated-automatically - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically + - /github/administering-a-repository/customizing-dependency-updates + - /code-security/supply-chain-security/customizing-dependency-updates + - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates + - /code-security/dependabot/dependabot-version-updates/customizing-dependency-updates versions: fpt: '*' ghec: '*' @@ -18,9 +22,8 @@ topics: children: - /about-dependabot-version-updates - /configuring-dependabot-version-updates - - /listing-dependencies-configured-for-version-updates - - /customizing-dependency-updates - - /configuration-options-for-the-dependabot.yml-file + - /optimizing-pr-creation-version-updates + - /customizing-dependabot-prs + - /controlling-dependencies-updated shortTitle: Dependabot version updates --- - diff --git a/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md b/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md new file mode 100644 index 000000000000..e83c435beaa6 --- /dev/null +++ b/content/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates.md @@ -0,0 +1,73 @@ +--- +title: Optimizing the creation of pull requests for Dependabot version updates +intro: 'Learn how to streamline and efficiently manage your {% data variables.product.prodname_dependabot %} pull requests.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + feature: dependabot-version-updates-groups +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Optimize PR creation +--- + +By default, {% data variables.product.prodname_dependabot %} opens a new pull request to update each dependency. When you enable security updates, new pull requests are opened when a vulnerable dependency is found. When you configure version updates for one or more ecosystems, new pull requests are opened when new versions of dependencies are available, with the frequency defined in the `dependabot.yml` file. + +If your project has many dependencies, you might find that you have a very large number of {% data variables.product.prodname_dependabot %} pull requests to review and merge, which can quickly become difficult to manage. + +There are a couple of customization options you can implement to optimize {% data variables.product.prodname_dependabot %} update pull requests to align with your processes, such as: +* **Controlling the frequency** with which {% data variables.product.prodname_dependabot %} checks for newer versions of your dependencies with `schedule`. +* **Prioritize meaningful updates** with `groups`. + +## Controlling the frequency and timings of dependency updates + +{% data variables.product.prodname_dependabot %} runs its checks for version updates at a frequency set by you in the configuration file (where the required field, `schedule.interval`, must be set to `daily`, `weekly`, or `monthly`). + +By default, {% data variables.product.prodname_dependabot %} balances its workload by assigning a random time to check and raise pull requests for dependency updates. + +However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer {% data variables.product.prodname_dependabot %} to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session. + +You can use `schedule` with a combination of options to modify the frequency and timings of when {% data variables.product.prodname_dependabot %} checks for version updates + +The example `dependabot.yml` file below changes the npm configuration to specify that {% data variables.product.prodname_dependabot %} should check for version updates to npm dependencies every day at 02:00 Japanese Standard Time (UTC +09:00). + +```yaml copy +# `dependabot.yml` file with +# customized schedule for version updates + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + # Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00) + schedule: + interval: "weekly" + day: "tuesday" + time: "02:00" + timezone: "Asia/Tokyo" +``` + +See also [schedule](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule-). + +## Prioritizing meaningful updates + +You can use `groups` to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase. + +You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria: + +{% ifversion dependabot-grouped-security-updates-config %} +* {% data variables.product.prodname_dependabot %} update type: `applies-to`{% endif %} +* Type of dependency: `dependency-type`. +* Dependency name: `patterns` and `exclude-patterns` +* Semantic versioning levels: `update-types` + +To see all supported values for each criterion, see [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--). + +The below examples present several different methods to create groups of dependencies using the criteria. + +{% data reusables.dependabot.dependabot-version-updates-groups-yaml-example %} diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index 9e43640d73f7..ea2e5e7e89ee 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -29,8 +29,8 @@ In this article, you can see what the supported ecosystems and repositories are. ## Supported ecosystems and repositories -You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#vendor). -{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries). +You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor). +{% data variables.product.prodname_dependabot %} also supports dependencies in private registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). {% ifversion ghes %} > [!NOTE] diff --git a/content/code-security/dependabot/index.md b/content/code-security/dependabot/index.md index 54b1d60dc439..16246ea41cea 100644 --- a/content/code-security/dependabot/index.md +++ b/content/code-security/dependabot/index.md @@ -20,4 +20,6 @@ children: - /dependabot-security-updates - /dependabot-version-updates - /working-with-dependabot + - /maintain-dependencies + - /troubleshooting-dependabot --- diff --git a/content/code-security/dependabot/maintain-dependencies/index.md b/content/code-security/dependabot/maintain-dependencies/index.md new file mode 100644 index 000000000000..de9090464d90 --- /dev/null +++ b/content/code-security/dependabot/maintain-dependencies/index.md @@ -0,0 +1,17 @@ +--- +title: Maintaining dependencies at scale +shortTitle: Maintain dependencies at scale +intro: 'You can use {% data variables.product.prodname_dependabot %} to automatically update your dependencies for your repositories and organizations.' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Organizations + - Security + - Dependencies +children: + - /managing-dependabot-on-self-hosted-runners + - /removing-dependabot-access-to-public-registries +--- diff --git a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md b/content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md similarity index 96% rename from content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md rename to content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md index 148380121511..fc4311d9b41e 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners.md +++ b/content/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners.md @@ -13,6 +13,8 @@ topics: - Actions - Dependencies - Repositories +redirect_from: + - /code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners --- ## About {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners @@ -29,7 +31,7 @@ To have greater control over {% data variables.product.prodname_dependabot %} ac For security reasons, when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, {% data variables.product.prodname_dependabot_updates %} will not be run on public repositories. -For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +For more information about configuring {% data variables.product.prodname_dependabot %} access to private registries when using {% data variables.product.company_short %}-hosted runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). For information about which ecosystems are supported as private registries, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). ## Prerequisites @@ -68,8 +70,7 @@ If {% data variables.product.prodname_dependabot %} needs to interact with regis * Install any self-signed certificates for registries that {% data variables.product.prodname_dependabot %} will need to interact with. 1. Assign a `dependabot` label to each runner you want {% data variables.product.prodname_dependabot %} to use. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/using-labels-with-self-hosted-runners#assigning-a-label-to-a-self-hosted-runner). - -1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events). +1. Optionally, enable workflows triggered by {% data variables.product.prodname_dependabot %} to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). ## Enabling self-hosted runners for {% data variables.product.prodname_dependabot_updates %} diff --git a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md b/content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md similarity index 83% rename from content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md rename to content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md index 96daffbc9527..58a0524f342c 100644 --- a/content/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries.md +++ b/content/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries.md @@ -13,6 +13,7 @@ topics: shortTitle: Remove access to public registries redirect_from: - /code-security/dependabot/working-with-dependabot/configuring-dependabot-to-only-access-private-registries + - /code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries --- ## About configuring {% data variables.product.prodname_dependabot %} to only access private registries @@ -32,11 +33,11 @@ You can configure {% data variables.product.prodname_dependabot %} to access _on ## Bundler -To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). +To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#rubygems-server). The Bundler ecosystem additionally requires a `Gemfile` file with the private registry URL to be checked into the repository. -```yaml +```yaml copy # Example Gemfile source "https://private_registry_url" @@ -48,12 +49,12 @@ To configure the Docker ecosystem to only access private registries, you can use **Option 1** -Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). +Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. -```yaml +```yaml copy version: 2 registries: azuretestregistry: # Define access for a private registry @@ -65,19 +66,19 @@ registries: In the `Dockerfile` file, add the image name in the format of `IMAGE[:TAG]`, where `IMAGE` consists of your username and the name of the repository. -```yaml +```yaml copy FROM firewallregistrydep.azurecr.io/myreg/ubuntu:22.04 ``` **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation. ## Gradle To configure the Gradle ecosystem to only access private registries, you can use these configuration methods. -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). > [!NOTE] > Remove replaces-base: true from the configuration file. @@ -100,7 +101,7 @@ To configure the Maven ecosystem to only access private registries, you can use **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). **Option 2** @@ -127,20 +128,20 @@ To configure the npm ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Remove `replaces-base: true` from the configuration file. The npm ecosystem additionally requires a `.npmrc` file with the private registry URL to be checked into the repository. - ```yaml + ```yaml copy registry=https://private_registry_url ``` **Option 2** -If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -155,14 +156,14 @@ To configure the Yarn Classic ecosystem to only access private registries, you c **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL. -```yaml +```yaml copy encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" @@ -177,13 +178,13 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour 1. Define the private registry configuration in a `dependabot.yml` file 1. Add the registry to a `.yarnrc` file in the project root with the key registry. Alternatively run `yarn config set registry `. - ```yaml + ```yaml copy registry https://private_registry_url ``` **Option 3** -If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`. @@ -194,7 +195,7 @@ To configure the Yarn Berry ecosystem to only access private registries, you can **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. @@ -203,7 +204,7 @@ To ensure the private registry is listed as the dependency source in the project {% raw %} -```yaml +```yaml copy encoding@^0.1.11: version "0.1.13" resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9" @@ -228,7 +229,7 @@ If the `yarn.lock` file doesn't list the private registry as the dependency sour ## NuGet -To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). +To allow the NuGet ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#nuget-feed). The NuGet ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file. @@ -260,7 +261,7 @@ This is an example of adding key `nuget.org` as true to the `disabledPackageSour To configure {% data variables.product.prodname_dependabot %} to access both private _and_ public feeds, view the following `dependabot.yml` example which includes the configured `public` feed under `registries`: -```yaml +```yaml copy version: 2 registries: nuget-example: @@ -289,14 +290,14 @@ To configure the Pip ecosystem to only access private registries, you can use th **Option 1** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `[global]` section of the `pip.conf` file and check the file into the repository. - ```yaml + ```yaml copy [global] timeout = 60 index-url = https://private_registry_url @@ -304,7 +305,7 @@ Add the private registry URL to the `[global]` section of the `pip.conf` file an **Option 2** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). ### Pip-compile @@ -312,31 +313,31 @@ To configure the Pip-compile ecosystem to only access private registries, you ca **Option 1** -Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). **Option 2** -Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +Define the private registry configuration in a `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `requirements.txt` file and check the file into the repository. -```yaml +```yaml copy --index-url https://private_registry_url ``` ### Pipenv -To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). > [!NOTE] > Delete `replaces-base: true` from the configuration file. Add the private registry URL to the `[[source]]` section of the `Pipfile` file and check the file into the repository. -```yaml +```yaml copy [[source]] url = "https://private_registry_url" verify_ssl = true @@ -345,11 +346,11 @@ name = "pypi" ### Poetry -To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). Add the private registry url to the `[[tool.poetry.source]]` section of the `pyproject.toml` file and checked it in the repository. -```yaml +```yaml copy [[tool.poetry.source]] name = "private" url = "https://private_registry_url" diff --git a/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md b/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md new file mode 100644 index 000000000000..0520dfdf0c22 --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped.md @@ -0,0 +1,60 @@ +--- +title: Dependabot update pull requests no longer generated +intro: '{% data variables.product.prodname_dependabot %} can pause updates based on your interaction with {% data variables.product.prodname_dependabot %} pull requests. Learn more about the automatic deactivation of {% data variables.product.prodname_dependabot_updates %}.' +allowTitleToDifferFromFilename: true +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependabot stopped working +--- + +* When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. + +* {% data variables.product.prodname_dependabot %} stops rebasing pull requests for version and security updates after 30 days, reducing notifications for inactive {% data variables.product.prodname_dependabot %} pull requests. + +## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %} + +{% data variables.product.prodname_dependabot %} pauses updates on your repositories, based on your interaction with pull requests from {% data variables.product.prodname_dependabot_updates %}. When {% data variables.product.prodname_dependabot %} automatically deactivates {% data variables.product.prodname_dependabot_updates %}, there is: + +* No creation of pull requests for version and security updates. +* No rebasing of {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. + +>[!NOTE] The automatic deactivation of {% data variables.product.prodname_dependabot %} updates only applies to repositories where {% data variables.product.prodname_dependabot %} has opened pull requests but the pull requests remain untouched. If {% data variables.product.prodname_dependabot %} hasn't opened any pull requests, {% data variables.product.prodname_dependabot %} will never become paused. + +An active repository is a repository where a user (**not** {% data variables.product.prodname_dependabot %}) has taken **any** of the following actions in the last 90 days: + +* Merged or closed a {% data variables.product.prodname_dependabot %} pull request on the repository. +* Made a change to the `dependabot.yml` file for the repository. +* Manually triggered a security update or a version update. +* Enabled {% data variables.product.prodname_dependabot_security_updates %} for the repository. +* Used `@dependabot` commands on pull requests. + +An inactive repository is a repository: + +* That has at least one {% data variables.product.prodname_dependabot %} pull request open for more than 90 days, +* That has been enabled for the full period, and +* Where none of the actions listed above has been taken by a user. + +## How to know if {% data variables.product.prodname_dependabot_updates %} are paused + +When {% data variables.product.prodname_dependabot %} is paused, {% data variables.product.github %} adds a banner notice: +* To all open {% data variables.product.prodname_dependabot %} pull requests. +* To the UI of the **Settings** tab of the repository (under {% ifversion ghes %}**Code security and analysis**{% else %}**Code security**{% endif %}, then **{% data variables.product.prodname_dependabot %}**). +* To the list of {% data variables.product.prodname_dependabot_alerts %} (if {% data variables.product.prodname_dependabot_security_updates %} are affected). + +{% ifversion dependabot-updates-paused-enterprise-orgs %} Additionally, you will be able to see whether {% data variables.product.prodname_dependabot %} is paused at the organization level in the security overview. The `paused` status will also be visible via the API. For more information, see [AUTOTITLE](/rest/repos#enable-automated-security-fixes).{% endif %} + +## About automatic reactivation of {% data variables.product.prodname_dependabot_updates %} + +As soon as someone interacts with a {% data variables.product.prodname_dependabot %} pull request again, {% data variables.product.prodname_dependabot %} will unpause itself: +* Security updates are automatically resumed for {% data variables.product.prodname_dependabot_alerts %}. +* Version updates are automatically resumed with the schedule specified in the `dependabot.yml` file. diff --git a/content/code-security/dependabot/troubleshooting-dependabot/index.md b/content/code-security/dependabot/troubleshooting-dependabot/index.md new file mode 100644 index 000000000000..3ca1c139c11d --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/index.md @@ -0,0 +1,23 @@ +--- +title: Troubleshooting Dependabot +intro: 'If you have problems with {% data variables.product.prodname_dependabot %}, you can use tips in these articles to help resolve issues.' +allowTitleToDifferFromFilename: true +versions: + fpt: '*' + ghec: '*' + ghes: '*' +topics: + - Dependabot + - Dependencies + - Alerts + - Vulnerabilities + - Repositories +shortTitle: Troubleshoot Dependabot +children: + - /listing-dependencies-configured-for-version-updates + - /viewing-dependabot-job-logs + - /dependabot-updates-stopped + - /troubleshooting-dependabot-errors + - /troubleshooting-dependabot-on-github-actions + - /troubleshooting-the-detection-of-vulnerable-dependencies +--- diff --git a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md b/content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md similarity index 82% rename from content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md rename to content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md index 407b1e0107dd..2574bfda1561 100644 --- a/content/code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates.md @@ -6,6 +6,7 @@ redirect_from: - /github/administering-a-repository/listing-dependencies-configured-for-version-updates - /code-security/supply-chain-security/listing-dependencies-configured-for-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/listing-dependencies-configured-for-version-updates + - /code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates versions: fpt: '*' ghec: '*' @@ -35,20 +36,14 @@ After you've enabled version updates, you can confirm that your configuration is If any dependencies are missing, check the log files for errors. If any package managers are missing, review the configuration file. -## Viewing {% data variables.product.prodname_dependabot %} log files - {% ifversion dependabot-job-log %} -{% data reusables.dependabot.dependabot-jobs-log-access %} - -To view the full logs files for a particular job, to the right of the log entry you are interested in, click **view logs**. - -![Screenshot of a Dependabot job log entry for the Gemfile package manager. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-logs.png) - -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +For information about {% data variables.product.prodname_dependabot %} job logs, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). {% else %} +## Viewing {% data variables.product.prodname_dependabot %} log files + 1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked _TIME_ ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. 1. Optionally, to rerun the version check, click **Check for updates**. diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md similarity index 92% rename from content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md rename to content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md index 3a1b57660d4f..e506b79fe1da 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors.md @@ -7,6 +7,7 @@ redirect_from: - /github/managing-security-vulnerabilities/troubleshooting-dependabot-errors - /code-security/supply-chain-security/troubleshooting-dependabot-errors - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-dependabot-errors + - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors versions: fpt: '*' ghec: '*' @@ -36,13 +37,14 @@ If anything prevents {% data variables.product.prodname_dependabot %} from raisi {% ifversion dependabot-on-actions-opt-in %} For more information about troubleshooting when running {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). + {% endif %} ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. -![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view, showing two alerts. To the right side of one alert, a link to a pull request, titled "#353", is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-alert-pr-link.png) +![Screenshot of the {% data variables.product.prodname_dependabot_alerts %} view. To the right of one alert, a link to a pull request, titled "#353", is outlined in orange.](/assets/images/help/dependabot/dependabot-alert-pr-link.png) There are several reasons why an alert may have no pull request link: @@ -64,7 +66,7 @@ To view the full logs files for a particular job, to the right of the log entry ![Screenshot of the Dependabot job log entries for a manifest file. A button, called "View logs", is highlighted in a dark orange outline.](/assets/images/help/dependabot/dependabot-job-log-error-message.png) -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). {% else %} @@ -144,7 +146,7 @@ If a security update times out, you can reduce the chances of this happening by There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit). The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see [Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually). @@ -171,7 +173,7 @@ To allow {% data variables.product.prodname_dependabot %} to update the dependen ### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_version_updates %} -{% ifversion dependabot-grouped-security-updates-config %}The [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. +{% ifversion dependabot-grouped-security-updates-config %}The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %}{% else %}{% data reusables.dependabot.dependabot-version-updates-groups-supported %}{% endif %} @@ -179,7 +181,7 @@ When you configure grouped version updates, you must configure groups per packag You may have unintentionally created empty groups. This happens, for example, when you set a `dependency-type` in the `allow` key for the overall job. -```yaml +```yaml copy allow: dependency-type: production # this restricts the entire job to production dependencies @@ -197,13 +199,13 @@ In this example, {% data variables.product.prodname_dependabot %} will: You need to ensure that configuration settings don't cancel each other, and update them appropriately in your configuration file. -For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups). +For more information on how to configure groups for {% data variables.product.prodname_dependabot_version_updates %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups). {% ifversion dependabot-grouped-security-updates-config %} ### {% data variables.product.prodname_dependabot %} fails to group a set of dependencies into a single pull request for {% data variables.product.prodname_dependabot_security_updates %} -The [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. +The [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration settings in the `dependabot.yml` file can apply to version updates and security updates. Use the `applies-to` key to specify where (version updates or security updates) a set of grouping rules is applied. Check you have grouping configured to apply to security updates. If the `applies-to` key is absent from a set of grouping rules in your configuration, any group rules will by default only apply to version updates. {% data reusables.dependabot.dependabot-grouped-updates-applies-to %} @@ -214,7 +216,7 @@ For grouped security updates, {% data variables.product.prodname_dependabot %} u * {% data variables.product.prodname_dependabot %} **will not** group dependencies from different package ecosystems together. * {% data variables.product.prodname_dependabot %} **will not** group security updates with version updates. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#impact-of-configuration-changes-on-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates). +For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-grouped-security-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). {% endif %} @@ -262,4 +264,4 @@ If you unblock {% data variables.product.prodname_dependabot %}, you can manuall ## Further reading * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md new file mode 100644 index 000000000000..6b992b71bc91 --- /dev/null +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md @@ -0,0 +1,108 @@ +--- +title: Troubleshooting Dependabot on GitHub Actions +intro: 'This article provides troubleshooting information for issues you may encounter when using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.' +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: how_to +topics: + - Actions + - Dependabot + - Version updates + - Security updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Troubleshoot Dependabot on Actions +redirect_from: + - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions +--- + +## Restrictions when {% data variables.product.prodname_dependabot %} triggers events + +{% data reusables.dependabot.working-with-actions-considerations %} + +For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, these restrictions apply: + +* `GITHUB_TOKEN` has read-only permissions by default. +* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. + +For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available. + +These restrictions apply even if the workflow is re-run by a different actor. + +For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). + +## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows + +{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} + +Some troubleshooting advice is provided in this article. You can also see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). + +### Accessing secrets + +When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are **not available**. You must therefore store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). + +{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). + +If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. + +For examples that use conditions, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions). + +To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. + +In this example, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. + +```yaml copy +name: CI +on: + pull_request: + branches: [ main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: {% data reusables.actions.action-checkout %} + + - name: Login to private container registry for dependencies + uses: docker/login-action@3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c + with: + registry: https://1234567890.dkr.ecr.us-east-1.amazonaws.com + username: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY_ID }}{% endraw %} + password: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY }}{% endraw %} + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) +``` + +### Changing `GITHUB_TOKEN` permissions + +By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token: + +{% raw %} + +```yaml copy +name: CI +on: pull_request + +# Set the access for individual scopes, or use permissions: write-all +permissions: + pull-requests: write + issues: write + repository-projects: write + ... + +jobs: + ... +``` + +{% endraw %} + +For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). + +## Manually re-running a workflow + +When you manually re-run a {% data variables.product.prodname_dependabot %} workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md similarity index 95% rename from content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md rename to content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 4d85ea83157e..2f50c05f190d 100644 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -6,6 +6,7 @@ redirect_from: - /github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies - /code-security/supply-chain-security/troubleshooting-the-detection-of-vulnerable-dependencies - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/troubleshooting-the-detection-of-vulnerable-dependencies + - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies versions: fpt: '*' ghes: '*' @@ -32,7 +33,7 @@ topics: * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies and malware. It's a free, curated database of security advisories for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. {% data reusables.security-advisory.link-browsing-advisory-db %} * The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph). * {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new advisory is added, it scans all existing repositories and generates an alert for each repository that is affected. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per advisory. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors). +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors). {% data variables.product.prodname_dependabot %} doesn't scan repositories on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new advisory is added to the database{% ifversion ghes %} and synchronized to {% data variables.product.prodname_dotcom %}{% endif %}. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#detection-of-insecure-dependencies). @@ -85,7 +86,7 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var ## Can Dependabot ignore specific dependencies? -You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). ## Further reading @@ -93,5 +94,5 @@ You can configure {% data variables.product.prodname_dependabot %} to ignore spe * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors){% ifversion dependabot-on-actions-opt-in %} * [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners){% endif %} diff --git a/content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md b/content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md similarity index 96% rename from content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md rename to content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md index af6efec28384..91efc7a59701 100644 --- a/content/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs.md @@ -12,6 +12,8 @@ topics: - Errors - Security updates - Dependencies +redirect_from: + - /code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs --- ## About {% data variables.product.prodname_dependabot %} job logs diff --git a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md index 25a6b2111d56..b77a81fc1ae5 100644 --- a/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md +++ b/content/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners.md @@ -53,7 +53,7 @@ Future releases of {% data variables.product.product_name %} will remove the abi If you restrict access to your organization's or repository's private resources, you may need to update your list of allowed IP addresses prior to enabling {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners. You can update your IP allow list to use the {% data variables.product.prodname_dotcom %}-hosted runners IP addresses (instead of the {% data variables.product.prodname_dependabot %} IP addresses), sourced from the [meta](/rest/meta) REST API endpoint. ->[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners). +>[!WARNING] You should not rely on the {% data variables.product.prodname_actions %} IP addresses for authentication to private registries. These {% data variables.product.prodname_actions %} addresses are not only used by {% data variables.product.prodname_dotcom %}, and should not be trusted for authentication. Instead, use a self-hosted runner to ensure greater control over your network access. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners). Note, disabling and re-enabling the "{% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners" settings will not trigger a new {% data variables.product.prodname_dependabot %} run. @@ -91,11 +91,11 @@ If you run into {% data variables.product.prodname_dependabot %} timeouts and ou > [!NOTE] You can only enable {% data variables.actions.hosted_runners %} for {% data variables.product.prodname_dependabot %} _at the organization level_. {% data variables.product.prodname_dotcom %} will bill your organization at the regular Actions runner pricing. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates). 1. Add a {% data variables.actions.hosted_runner %} to your organization and ensure the name specified is `dependabot`. For more information, see [AUTOTITLE](/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners#adding-a-larger-runner-to-an-organization). -1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. +1. Opt in the organization to self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners#enabling-or-disabling-for-your-organization). This step is required, as it ensures that future {% data variables.product.prodname_dependabot %} jobs will run on the larger {% data variables.product.prodname_dotcom %}-hosted runner that has the `dependabot` name. ## Managing {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} runners -When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). +When a {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} job is run, you can review the workflow run history directly from the Dependabot job logs. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). You can also navigate to a {% data variables.product.prodname_dependabot %} workflow run from the **Actions** tab in a repository. For more information, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history). @@ -120,4 +120,4 @@ To re-run a {% data variables.product.prodname_dependabot_version_updates %} or ## Further reading -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions) diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index 6940670b63aa..0ac8a10d565a 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -20,107 +20,36 @@ redirect_from: - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions --- -{% data reusables.dependabot.enterprise-enable-dependabot %} - -## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} - -{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date, and you can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request. - {% ifversion dependabot-on-actions-opt-in %} ->[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} on {% data variables.product.prodname_actions %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead. -{% endif %} - -## Responding to events - -{% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently. - -For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request`, `pull_request_review`, `pull_request_review_comment`, `push`, `create`, `deployment`, and `deployment_status` events, the following restrictions apply: - -* `GITHUB_TOKEN` has read-only permissions by default. -* Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. - -For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available. - -These restrictions apply even if the workflow is re-run by a different actor. - -For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). - -### Changing `GITHUB_TOKEN` permissions - -By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token: - -{% raw %} - -```yaml -name: CI -on: pull_request - -# Set the access for individual scopes, or use permissions: write-all -permissions: - pull-requests: write - issues: write - repository-projects: write - ... -jobs: - ... -``` - -{% endraw %} - -For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). - -### Accessing secrets - -When a {% data variables.product.prodname_dependabot %} event triggers a workflow, the only secrets available to the workflow are {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by {% data variables.product.prodname_dependabot %} events as {% data variables.product.prodname_dependabot %} secrets. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use). - -{% data variables.product.prodname_dependabot %} secrets are added to the `secrets` context and referenced using exactly the same syntax as secrets for {% data variables.product.prodname_actions %}. For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow). - -If you have a workflow that will be triggered by {% data variables.product.prodname_dependabot %} and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a {% data variables.product.prodname_dependabot %} secret with identical names. Then the workflow can include a single call to these secrets. If the secret for {% data variables.product.prodname_dependabot %} has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see [Common automations](#common-dependabot-automations) below. - -To access a private container registry on AWS with a user name and password, a workflow must include a secret for `username` and `password`. In the example below, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. +>[!NOTE] This article explains how to automate {% data variables.product.prodname_dependabot %}-related tasks using {% data variables.product.prodname_actions %}. For more information about running {% data variables.product.prodname_dependabot_updates %} using {% data variables.product.prodname_actions %}, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead. +{% endif %} -```yaml -name: CI -on: - pull_request: - branches: [ main ] +You can use {% data variables.product.prodname_actions %} to perform automated tasks when {% data variables.product.prodname_dependabot %} creates pull requests to update dependencies. You may find this useful if you want to: -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: {% data reusables.actions.action-checkout %} +* Ensure that {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) are created with the right data for your work processes, including labels, names, and reviewers. - - name: Login to private container registry for dependencies - uses: docker/login-action@3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c - with: - registry: https://1234567890.dkr.ecr.us-east-1.amazonaws.com - username: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY_ID }}{% endraw %} - password: {% raw %}${{ secrets.READONLY_AWS_ACCESS_KEY }}{% endraw %} +* Trigger workflows to send {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) into your review process or to merge automatically. - - name: Build the Docker image - run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) -``` +{% data reusables.dependabot.enterprise-enable-dependabot %} -### Manually re-running a workflow +## About {% data variables.product.prodname_dependabot %} and {% data variables.product.prodname_actions %} -When you manually re-run a Dependabot workflow, it will run with the same privileges as before even if the user who initiated the rerun has different privileges. For more information, see [AUTOTITLE](/actions/managing-workflow-runs/re-running-workflows-and-jobs). +{% data variables.product.prodname_dependabot %} creates pull requests to keep your dependencies up to date. You can use {% data variables.product.prodname_actions %} to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request. -## Common Dependabot automations +{% data reusables.dependabot.working-with-actions-considerations %} For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions). -Here are several common scenarios that can be automated using {% data variables.product.prodname_actions %}. +Here are several common scenarios for pull requests that can be automated using {% data variables.product.prodname_actions %}. -### Fetch metadata about a pull request +## Fetching metadata about a pull request -A large amount of automation requires knowing information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. +Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by {% data variables.product.prodname_dependabot %}. -The `dependabot/fetch-metadata` action provides all that information for you: +Example: {% raw %} -```yaml +```yaml copy name: Dependabot fetch metadata on: pull_request @@ -149,15 +78,15 @@ jobs: For more information, see the [`dependabot/fetch-metadata`](https://github.com/dependabot/fetch-metadata) repository. -### Label a pull request +## Labeling a pull request -If you have other automation or triage workflows based on {% data variables.product.prodname_dotcom %} labels, you can configure an action to assign labels based on the metadata provided. +If you have other automation or triage workflows based on {% data variables.product.github %} labels, you can configure an action to assign labels based on the metadata provided. -For example, if you want to flag all production dependency updates with a label: +Example that flags all production dependency updates with a label: {% raw %} -```yaml +```yaml copy name: Dependabot auto-label on: pull_request @@ -185,13 +114,15 @@ jobs: {% endraw %} -### Approve a pull request +## Automatically approving a pull request -If you want to automatically approve Dependabot pull requests, you can use the {% data variables.product.prodname_cli %} in a workflow: +You can automatically approve {% data variables.product.prodname_dependabot %} pull requests by using the {% data variables.product.prodname_cli %} in a workflow. + +Example: {% raw %} -```yaml +```yaml copy name: Dependabot auto-approve on: pull_request @@ -217,20 +148,17 @@ jobs: {% endraw %} -### Enable auto-merge on a pull request - -If you want to allow maintainers to mark certain pull requests for auto-merge, you can use {% data variables.product.prodname_dotcom %}'s auto-merge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). +## Enabling automerge on a pull request -{% ifversion repo-rules %}As an alternative to branch protection rules, you can create rulesets. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).{% endif %} +If you want to allow maintainers to mark certain pull requests for automerge, you can use {% data variables.product.prodname_dotcom %}'s automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met. -> [!NOTE] -> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). +For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). -You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that auto merges all patch updates to `my-dependency`: +You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that automerges all patch updates to `my-dependency`: {% raw %} -```yaml +```yaml copy name: Dependabot auto-merge on: pull_request @@ -258,7 +186,10 @@ jobs: {% endraw %} -## Troubleshooting failed workflow runs +> [!NOTE] +> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for {% data variables.product.prodname_dependabot %} pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule). + +## Investigating failed workflow runs If your workflow run fails, check the following: @@ -268,3 +199,5 @@ If your workflow run fails, check the following: * You have a `GITHUB_TOKEN` with the correct permissions. For information on writing and debugging {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/learn-github-actions). + +For more tips to help resolve issues with workflows, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions). diff --git a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md index 21ddf41cc653..174d0034798b 100644 --- a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md @@ -23,13 +23,13 @@ shortTitle: Configure access to private registries ## About private registries -{% data variables.product.prodname_dependabot_version_updates %} keeps your dependencies up-to-date. {% data variables.product.prodname_dependabot %} can access public registries. In addition, you can give {% data variables.product.prodname_dependabot_version_updates %} access to private package registries and private {% data variables.product.prodname_dotcom %} repositories so that you can keep your private and innersource dependencies as up-to-date as your public dependencies. +{% data variables.product.prodname_dependabot_version_updates %} keeps your dependencies up-to-date and {% data variables.product.prodname_dependabot_security_updates %} updates vulnerable dependencies. {% data variables.product.prodname_dependabot %} can access public registries. In addition, you can give {% data variables.product.prodname_dependabot %} access to private package registries and private {% data variables.product.github %} repositories so that you can keep your private and innersource dependencies as up-to-date and secure as your public dependencies. In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication. -For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). +For specific ecosystems, you can configure {% data variables.product.prodname_dependabot %} to access _only_ private registries by removing calls to public registries. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). -{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners).{% endif %} +{% ifversion dependabot-on-actions-self-hosted %}To allow {% data variables.product.prodname_dependabot %} access to registries hosted privately or restricted to internal networks, configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see [AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners).{% endif %} ## Configuring private registries @@ -40,7 +40,7 @@ The top-level `registries` key is optional and specifies authentication details. {% data reusables.dependabot.dependabot-updates-registries-options %} -For more information about the configuration options that are available, how to use them, and about the supported types, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +For more information about the configuration options that are available and about the supported types, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). ## Storing credentials for Dependabot to use @@ -51,20 +51,18 @@ To give {% data variables.product.prodname_dependabot %} access to the private r {% data variables.product.prodname_dependabot %} secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow {% data variables.product.prodname_dependabot %} to update dependencies located in private package registries. When you add a secret, it's encrypted before it reaches {% data variables.product.prodname_dotcom %} and it remains encrypted until it's used by {% data variables.product.prodname_dependabot %} to access a private package registry. -{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets). +{% data variables.product.prodname_dependabot %} secrets also include secrets that are used by {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} pull requests. {% data variables.product.prodname_dependabot %} itself may not use these secrets, but the workflows require them. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets). After you add a {% data variables.product.prodname_dependabot %} secret, you can reference it in the `dependabot.yml` configuration file like this: {% raw %}`${{secrets.NAME}}`{% endraw %}, where "NAME" is the name you chose for the secret. For example: {% raw %} -```yaml +```yaml copy password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} ``` {% endraw %} -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). - #### Naming your secrets The name of a {% data variables.product.prodname_dependabot %} secret: @@ -118,3 +116,374 @@ You can add {% data variables.product.prodname_dependabot %}-related IP addresse If your private registry is configured with an IP allow list, you can find the IP addresses {% data variables.product.prodname_dependabot %} uses to access the registry in the meta API endpoint, under the `dependabot` key. If you run {% data variables.product.prodname_dependabot %} on {% data variables.product.prodname_actions %} self-hosted runners, you should instead use the IP addresses under the `actions` key. For more information, see [AUTOTITLE](/rest/meta/meta) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners). {% endif %} + +## Allowing external code execution + +When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. However, some version updates may fail. + +If you need to allow {% data variables.product.prodname_dependabot %} to access a private package registry and enable limited external code execution, you can set `insecure-external-code-execution` to `allow`. Any external code execution will only have access to the package managers in the registries associated with the enclosing `updates` setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. + +In this example, the configuration file allows {% data variables.product.prodname_dependabot %} to access the `ruby-github` private package registry. In the same `updates`setting, `insecure-external-code-execution`is set to `allow`, which means that the code executed by dependencies will only access the `ruby-github` registry, and not the `dockerhub` registry. +{% raw %} + +```yaml copy +# Allow external code execution when updating dependencies from private registries + +version: 2 +registries: + ruby-github: + type: rubygems-server + url: https://rubygems.pkg.github.com/octocat/github_api + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} +updates: + - package-ecosystem: "bundler" + directory: "/rubygems-server" + insecure-external-code-execution: allow + registries: "*" + schedule: + interval: "monthly" +``` + +{% endraw %} + +## Supported private registeries + +Examples of how to configure access to the private registries supported by {% data variables.product.prodname_dependabot %}. + +{% ifversion dependabot-updates-cargo-private-registry-support %} +* [`cargo-registry`](#cargo-registry){% endif %} +* [`composer-repository`](#composer-repository) +* [`docker-registry`](#docker-registry) +* [`git`](#git) +* [`hex-organization`](#hex-organization) +* [`hex-repository`](#hex-repository) +* [`maven-repository`](#maven-repository) +* [`npm-registry`](#npm-registry) +* [`nuget-feed`](#nuget-feed){% ifversion dependabot-updates-pub-private-registry %} +* [`pub-repository`](#pub-repository){% endif %} +* [`python-index`](#python-index) +* [`rubygems-server`](#rubygems-server) +* [`terraform-registry`](#terraform-registry) + +{% ifversion dependabot-updates-cargo-private-registry-support %} + +### `cargo-registry` + +The `cargo-registry` type supports a token. + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% data reusables.dependabot.cargo-private-registry-config-example %} + +{% endif %} + +### `composer-repository` + +The `composer-repository` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + composer: + type: composer-repository + url: https://repo.packagist.com/example-company/ + username: octocat + password: ${{secrets.MY_PACKAGIST_PASSWORD}} +``` + +{% endraw %} + +### `docker-registry` + +{% data variables.product.prodname_dependabot %} works with any container registries that implement the OCI container registry spec. For more information, see [https://github.com/opencontainers/distribution-spec/blob/main/spec.md](https://github.com/opencontainers/distribution-spec/blob/main/spec.md). {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia. + +The `docker-registry` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + dockerhub: + type: docker-registry + url: https://registry.hub.docker.com + username: octocat + password: ${{secrets.MY_DOCKERHUB_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +The `docker-registry` type can also be used to pull from private Amazon ECR using static AWS credentials. + +{% raw %} + +```yaml copy +registries: + ecr-docker: + type: docker-registry + url: https://1234567890.dkr.ecr.us-east-1.amazonaws.com + username: ${{secrets.ECR_AWS_ACCESS_KEY_ID}} + password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}} + replaces-base: true +``` + +{% endraw %} + +### `git` + +The `git` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% raw %} + +```yaml copy +registries: + github-octocat: + type: git + url: https://github.com + username: x-access-token + password: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} +``` + +{% endraw %} + +### `hex-organization` + +The `hex-organization` type supports organization and key. + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + github-hex-org: + type: hex-organization + organization: github + key: ${{secrets.MY_HEX_ORGANIZATION_KEY}} +``` + +{% endraw %} + +### `hex-repository` + +The `hex-repository` type supports an authentication key. + +`repo` is a required field, which must match the name of the repository used in your dependency declaration. + +The `public-key-fingerprint` is an optional configuration field, representing the fingerprint of the public key for the Hex repository. `public-key-fingerprint` is used by Hex to establish trust with the private repository. The `public-key-fingerprint` field can be either listed in plaintext or stored as a {% data variables.product.prodname_dependabot %} secret. + +{% raw %} + +```yaml copy +registries: + github-hex-repository: + type: hex-repository + repo: private-repo + url: https://private-repo.example.com + auth-key: ${{secrets.MY_AUTH_KEY}} + public-key-fingerprint: ${{secrets.MY_PUBLIC_KEY_FINGERPRINT}} +``` + +{% endraw %} + +### `maven-repository` + +The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + maven-artifactory: + type: maven-repository + url: https://acme.jfrog.io/artifactory/my-maven-registry + username: octocat + password: ${{secrets.MY_ARTIFACTORY_PASSWORD}} +``` + +{% endraw %} + +### `npm-registry` + +The `npm-registry` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password. + +> [!NOTE] +> When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path. + +{% raw %} + +```yaml copy +registries: + npm-npmjs: + type: npm-registry + url: https://registry.npmjs.org + username: octocat + password: ${{secrets.MY_NPM_PASSWORD}} # Must be an unencoded password + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + npm-github: + type: npm-registry + url: https://npm.pkg.github.com + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation. + +### `nuget-feed` + +The `nuget-feed` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% raw %} + +```yaml copy +registries: + nuget-example: + type: nuget-feed + url: https://nuget.example.com/v3/index.json + username: octocat@example.com + password: ${{secrets.MY_NUGET_PASSWORD}} +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + nuget-azure-devops: + type: nuget-feed + url: https://pkgs.dev.azure.com/.../_packaging/My_Feed/nuget/v3/index.json + username: octocat@example.com + password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} +``` + +{% endraw %} + +{% ifversion dependabot-updates-pub-private-registry %} + +### `pub-repository` + +The `pub-repository` type supports a URL and a token. + +{% raw %} + +```yaml copy +registries: + my-pub-registry: + type: pub-repository + url: https://example-private-pub-repo.dev/optional-path + token: ${{secrets.MY_PUB_TOKEN}} +updates: + - package-ecosystem: "pub" + directory: "/" + schedule: + interval: "weekly" + registries: + - my-pub-registry +``` + +{% endraw %} + +{% endif %} + +### `python-index` + +The `python-index` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + python-example: + type: python-index + url: https://example.com/_packaging/my-feed/pypi/example + username: octocat + password: ${{secrets.MY_BASIC_AUTH_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + python-azure: + type: python-index + url: https://pkgs.dev.azure.com/octocat/_packaging/my-feed/pypi/example + username: octocat@example.com + password: ${{secrets.MY_AZURE_DEVOPS_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +### `rubygems-server` + +The `rubygems-server` type supports username and password, or token. {% data reusables.dependabot.password-definition %} + +{% data reusables.dependabot.dependabot-updates-path-match %} + +{% raw %} + +```yaml copy +registries: + ruby-example: + type: rubygems-server + url: https://rubygems.example.com + username: octocat@example.com + password: ${{secrets.MY_RUBYGEMS_PASSWORD}} + replaces-base: true +``` + +{% endraw %} + +{% raw %} + +```yaml copy +registries: + ruby-github: + type: rubygems-server + url: https://rubygems.pkg.github.com/octocat/github_api + token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}} + replaces-base: true +``` + +{% endraw %} + +### `terraform-registry` + +The `terraform-registry` type supports a token. + +{% raw %} + +```yaml copy +registries: + terraform-example: + type: terraform-registry + url: https://terraform.example.com + token: ${{secrets.MY_TERRAFORM_API_TOKEN}} +``` + +{% endraw %} diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md new file mode 100644 index 000000000000..e97299cc047a --- /dev/null +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -0,0 +1,695 @@ +--- +title: Dependabot options reference +intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.' +permissions: '{% data reusables.permissions.dependabot-yml-configure %}' +allowTitleToDifferFromFilename: true +redirect_from: + - /github/administering-a-repository/configuration-options-for-dependency-updates + - /code-security/supply-chain-security/configuration-options-for-dependency-updates + - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates + - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: reference +topics: + - Dependabot + - Version updates + - Repositories + - Dependencies + - Pull requests +shortTitle: Dependabot options reference +--- + +## About the `dependabot.yml` file + +The `dependabot.yml` file defines how {% data variables.product.prodname_dependabot %} maintains dependencies using version updates. In addition, all options marked with a {% octicon "shield-check" aria-label="Security updates" height="16" %} icon also change how {% data variables.product.prodname_dependabot %} creates pull requests for security updates, except where `target-branch` is used. + +The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes). + +You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates). + +> [!NOTE] +> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). + +### Required keys + +| Key | Location | Purpose | +|--|--|--| +| `version` | Top level| {% data variables.product.prodname_dependabot %} configuration syntax to use. Always: `2`.| +| `updates` | Top level| Section where you define each `package-ecosystem` to update.| +| [`package-ecosystem`](#package-ecosystem-) | Under `updates` | Define a package manager to update. | +| {% ifversion dependabot-updates-multidirectory-support %}[`directories` or `directory`](#directories-or-directory--){% else %}[`directory`](#directory--){% endif %} | Under each `package-ecosystem` entry | Define the location of the manifest or other definition files to update. | +| [`schedule.interval`](#schedule-) | Under each `package-ecosystem` entry | Define whether to look for version updates: `daily`, `weekly`, or `monthly`. | + +Optionally, you can also include a top-level `registries` key to define access details for private registries, see [Top-level `registries` key](#top-level-registries-key). + +```yaml copy + +# Basic `dependabot.yml` file with +# minimum configuration for two package managers + +version: 2 +updates: + # Enable version updates for npm + - package-ecosystem: "npm" + # Look for `package.json` and `lock` files in the `root` directory + directory: "/" + # Check the npm registry for updates every day (weekdays) + schedule: + interval: "daily" + + # Enable version updates for Docker + - package-ecosystem: "docker" + # Look for a `Dockerfile` in the `root` directory + directory: "/" + # Check for updates once a week + schedule: + interval: "weekly" +``` + +For a real-world example of a `dependabot.yml` file, see [{% data variables.product.prodname_dependabot %}'s own configuration file](https://github.com/dependabot/dependabot-core/blob/main/.github/dependabot.yml). + +## `allow` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Use to define exactly which dependencies to maintain for a package ecosystem. Often used with the [`ignore`](#ignore--) option. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% octicon "versions" aria-hidden="true" %} All dependencies explicitly defined in a manifest are kept up to date by version updates. +* {% octicon "shield-check" aria-hidden="true" %} All dependencies defined in lock files with vulnerable dependencies are updated by security updates. + +When `allow` is specified {% data variables.product.prodname_dependabot %} uses the following process: + +1. Check for all explicitly **allowed** dependencies. +1. Then filter out any **ignored** dependencies or versions. + + If a dependency is matched by an `allow` and an `ignore` statement, then it is **ignored**. + +| Parameters | Purpose | +|------------|---------| +| `dependency-name` | Allow updates for dependencies with matching names, optionally using `*` to match zero or more characters. | +| `dependency-type` | Allow updates for dependencies of specific types. | + +### `dependency-name` (`allow`) + +For most package managers, you should define a value that will match the dependency name specified in the lock or manifest file. A few systems have more complex requirements. + +| Package manager | Format required | Example | +|-----------------|-----------------|---------| +| Gradle and Maven | `groupId:artifactId` | `org.kohsuke:github-api` | +| Docker for image tags |The full name of the repository | For an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`.| + +### `dependency-type` (`allow`) + +| Dependency types | Supported by package managers | Allow updates | +|------------------|-------------------------------|--------| +| `direct` | All | All explicitly defined dependencies. | +| `indirect` | `bundler`, `pip`, `composer`, `cargo`, `gomod` | Dependencies of direct dependencies (also known as sub-dependencies, or transient dependencies).| +| `all` | All | All explicitly defined dependencies. For `bundler`, `pip`, `composer`, `cargo`, `gomod`, also the dependencies of direct dependencies.| +| `production` | `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only to dependencies defined by the package manager as production dependencies. | +| `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip` (not all managers) | Only to dependencies defined by the package manager as development dependencies. | + +## `assignees` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify individual assignees for all pull requests raised for a package ecosystem. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Pull requests are created without any assignees. + +When `assignees` is defined: + +* {% octicon "versions" aria-hidden="true" %} All pull requests for version updates are created with the chosen assignees. +* {% octicon "shield-check" aria-hidden="true" %} All pull requests for security updates are created with the chosen assignees, unless `target-branch` defines updates to a non-default branch. + +Assignees must have write access to the repository. For organization-owned repositories, organization members with read access are also valid assignees. + +## `commit-message` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Define the format for commit messages. Since the titles of pull requests are written based on commit messages, this setting also impacts the titles of pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Commit messages follow similar patterns to those detected in the repository. + +When `commit-message` is defined: + +* {% octicon "versions" aria-hidden="true" %} All commit messages follow the defined pattern. +* {% octicon "shield-check" aria-hidden="true" %} All commit messages follow the defined pattern, unless `target-branch` defines updates to a non-default branch. + +| Parameters | Purpose | +|------------|---------| +| `prefix` | Defines a prefix for all commit messages and pull request titles. | +| `prefix-development` | On supported systems, defines a different prefix to use for commits that update dependencies in the Development dependency group. | +| `include` | Follow the commit message prefix with additional information. | + +{% ifversion dependabot-version-updates-groups %} + +> [!TIP] +> When pull requests are raised for grouped updates, the branch name and pull request title are defined by the group `IDENTIFIER`, see {% ifversion dependabot-grouped-security-updates-config %}[`groups`](#groups--){% else %}[`groups`](#groups-){% endif %}. + +{% endif %} + +### `prefix` + +* Used for all commit messages unless `prefix-development` is also defined. +* Value can be up to 50 characters. +* {% data variables.product.prodname_dependabot %} inserts a colon after the prefix before adding the main commit message when the value ends with a letter, number, closing parenthesis, or closing bracket. +* End the value with a whitespace character to stop a colon being added. + +### `prefix-development` + +Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. + +* Used only for commit messages that update dependencies in the Development dependency group. +* Otherwise, the parameter behaves exactly as the `prefix` parameter. + +### `include` + +* Supports only the value `scope` +* When defined any prefix is followed by the type of dependencies updated in the commit: `deps` or `deps-dev`. + +## {% ifversion dependabot-updates-multidirectory-support %}`directories` or {% endif %}`directory` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +**Required option**. Use to define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). Without this information {% data variables.product.prodname_dependabot %} cannot create pull requests for version updates. For examples, see {% ifversion dependabot-updates-multidirectory-support %}[Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files){% else %}[Example dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file){% endif %}. + +{% ifversion dependabot-updates-multidirectory-support %} +* Use `directory` to define a single directory of manifests. +* Use `directories` to define a list of multiple directories of manifests. +* Define directories relative to the root of the repository for most package managers.{% else %} +* Define the directory relative to the root of the repository for most package managers.{% endif %} +* For {% data variables.product.prodname_actions %}, use the value `/`. {% data variables.product.prodname_dependabot %} will search the `/.github/workflows` directory, as well as the `action.yml/action.yaml` file from the root directory. + +If you need to use more than one block in the configuration file to define updates for a single target branch of an ecosystem, you must ensure that all values are unique and there is no overlap in directories defined. + +{% ifversion dependabot-updates-multidirectory-support %} + +> [!NOTE] +> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key. + +{% endif %} + +## `enable-beta-ecosystems` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Not currently in use. + +{% ifversion dependabot-version-updates-groups %} + +## `groups` {% ifversion dependabot-grouped-security-updates-config %}{% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}{% else %}{% octicon "versions" aria-label="Version updates only" height="24" %}{% endif %} + +Define rules to create one or more sets of dependencies managed by a package manager, to group updates into fewer, targeted pull requests. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Open a single pull request for each dependency that needs to be updated to a newer version for version updates{% ifversion dependabot-grouped-security-updates-config %} and for security updates{% endif %}. + +When `groups` is used to define rules: + +* All {% ifversion dependabot-grouped-security-updates-config %}{% else %}version {% endif %}updates for dependencies that match a rule are combined in a single pull request. +* If a dependency matches more than one rule, it's included in the first group that it matches. +* Any outdated dependencies that do not match a rule are updated in individual pull requests. + +Parameters | Purpose | +-------|-------------| +| `IDENTIFIER` | Define an identifier for the group to use in branch names and pull request titles. This must start and end with a letter, and can contain letters, pipes `\|`, underscores `_`, or hyphens `-`. | +| {% ifversion dependabot-grouped-security-updates-config %} | +| `applies-to` | Specify which type of update the group applies to. When undefined, defaults to version updates. Supported values: `version-updates` or `security-updates`. | +| {% endif %} | +| `dependency-type` | Limit the group to a type. Supported values: `development` or `production`. | +| `patterns` | Define one or more patterns to include dependencies with matching names. | +| `exclude-patterns` | Define one or more patterns to exclude dependencies from the group. | +| `update-types` | Limit the group to one or more semantic versioning levels. Supported values: `minor`, `patch`, and `major`. | + +### `dependency-type` (`groups`) + +Supported by: `bundler`, `composer`, `mix`, `maven`, `npm`, and `pip`. + +By default, a group will include all types of dependencies. + +* Use `development` to include only dependencies in the "Development dependency group". +* Use `production` to include only dependencies in the "Production dependency group". + +### `patterns` and `exclude-patterns` (`groups`) + +Both options support using `*` as a wild card to define matches with dependency names. + +### `update-types` (`groups`) + +By default, a group will include updates for all semantic versions (SemVer). SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. Dependabot assumes that versions in this form are always `major.minor.patch`. + +* Use `patch` to include patch releases. +* Use `minor` to include minor releases. +* Use `major` to include major releases. + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#specifying-the-semantic-versioning-level-to-ignore). + +{% endif %} + +## `ignore` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Use with the [`allow`](#allow--) option to define exactly which dependencies to maintain for a package ecosystem. {% data variables.product.prodname_dependabot %} checks for all allowed dependencies and then filters out any ignored dependencies or versions. So a dependency that is matched by both an allow and an ignore will be ignored. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% octicon "versions" aria-hidden="true" %} All dependencies explicitly defined in a manifest are kept up to date by version updates. +* {% octicon "shield-check" aria-hidden="true" %} All dependencies defined in lock files with vulnerable dependencies are updated by security updates. + +When `ignore` is used {% data variables.product.prodname_dependabot %} uses the following process: + +1. Check for all explicitly **allowed** dependencies. +1. Then filter out any **ignored** dependencies or versions. + + If a dependency is matched by an `allow` and an `ignore` statement, then it is **ignored**. + +| Parameters | Purpose | +|------------|---------| +| `dependency-name` | Ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters. | +| `versions` | Ignore specific versions or ranges of versions. | +| `update-types` | Ignore updates to one or more semantic versioning levels. Supported values: `sem-ver:minor`, `sem-ver:patch`, and `sem-ver:major`. | + +### `dependency-name` (`ignore`) + +For most package managers, you should define a value that will match the dependency name specified in the lock or manifest file. A few systems have more complex requirements. + +| Package manager | Format required | Example | +|-----------------|-----------------|---------| +| Gradle and Maven | `groupId:artifactId` | `org.kohsuke:github-api` | +| Docker for image tags |The full name of the repository | For an image tag of `.dkr.ecr.us-west-2.amazonaws.com/base/foo/bar/ruby:3.1.0-focal-jemalloc`, use `base/foo/bar/ruby`.| + +### `versions` (`ignore`) + +Use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager. For example: + +* npm: use `^1.0.0` +* Bundler: use `~> 2.0` +* Docker: use Ruby version syntax +* NuGet: use `7.*` + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-versions-or-ranges-of-versions). + +### `update-types` (`ignore`) + +Specify which semantic versions (SemVer) to ignore. SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. {% data variables.product.prodname_dependabot %} assumes that versions in this form are always `major.minor.patch`. + +* Use `patch` to include patch releases. +* Use `minor` to include minor releases. +* Use `major` to include major releases. + +## `insecure-external-code-execution` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler`, `mix`, and `pip`. + +Allow {% data variables.product.prodname_dependabot %} to execute external code in the manifest during updates. For examples, see [Allowing external code execution](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#allowing-external-code-execution). + +{% data variables.product.prodname_dependabot %} default behavior: + +* When you give {% data variables.product.prodname_dependabot %} access to one or more registries, external code execution is automatically disabled to protect your code from compromised packages. +* Version updates may fail without the ability to execute code. + +When you allow `insecure-external-code-execution`: + +* {% data variables.product.prodname_dependabot %} will execute code in the manifest as part of the version update process. +* The code has access to only the package managers in the registries associated with that `updates`setting. There is no access allowed to any of the registries defined in the top level `registries` configuration. +* This should enable the update to succeed but also could allow a compromised package to steal credentials or gain access to configured registries. + +Supported value: `allow`. + +## `labels` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify your own labels for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* All pull requests have a `dependencies` label. +* If you define more than one package manager, an additional label for the ecosystem or language is added to each pull request. For example: `java` for Gradle updates and `submodules` for git submodule updates. +* {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. + +When `labels` is defined: + +* The labels specified are used instead of the default labels. +* If any of these labels is not defined in the repository, it is ignored. +* You can disable all labels, including the default labels, using `labels: [ ]`. + +{% data reusables.dependabot.option-affects-security-updates %} + +## `milestone` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Associate all pull requests raised for a package manager with a milestone. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* No milestones are used. + +When `milestone` is defined: + +* All pull requests for the package manager are added to the milestone. + +Supported value: the numeric identifier of a milestone. + +>[!TIP] +>If you view a milestone, the final part of the page URL, after `milestone`, is the identifier. For example: `https://github.com///milestone/3`, see [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/viewing-your-milestones-progress). + +## `open-pull-requests-limit` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Change the limit on the maximum number of pull requests for version updates open at any time. + +{% data variables.product.prodname_dependabot %} default behavior: + +* If five pull requests with version updates are open, no further pull requests are raised until some of those open requests are merged or closed. +* Security updates have a separate, internal limit of ten open pull requests which cannot be changed. + +When `open-pull-requests-limit` is defined: + +* {% data variables.product.prodname_dependabot %} opens pull requests up to the defined integer value. +* You can temporarily disable version updates for a package manager by setting this option to zero, see [Disabling {% data variables.product.prodname_dependabot_version_updates %}](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#disabling-dependabot-version-updates). + +## `package-ecosystem` {% octicon "versions" aria-label="Version updates only" height="24" %} + +**Required option.** Define one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each package manager, see [Example `dependabot.yml` file](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file). + +Package manager | YAML value | Supported versions | +---------------|------------------|:------------------:| +| Bundler | `bundler` | {% ifversion ghes < 3.15 %}v1, {% endif %}v2 | +| Cargo | `cargo` | v1 | +| Composer | `composer` | {% ifversion dependabot-updates-composerv1-closing-down %}v2{% else %}v1, v2{% endif %} | +| {% ifversion dependabot-version-updates-devcontainer-support %} | +| Dev containers | `devcontainers` | Not applicable | +| {% endif %} | +| Docker | `docker` | v1 | +| {% ifversion dependabot-dotnet-sdk %} | +| .NET SDK | `dotnet-sdk` | >=.NET Core 3.1 | +| {% endif %} | +| Hex | `mix` | v1 | +| elm-package | `elm` | v0.19 | +| git submodule | `gitsubmodule` | Not applicable | +| {% data variables.product.prodname_actions %} | `github-actions` | Not applicable | +| Go modules | `gomod` | v1 | +| Gradle | `gradle` | Not applicable | +| Maven | `maven` | Not applicable | +| npm | `npm` | v6, v7, v8, v9 | +| NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% elsif ghes = 3.14 or ghes = 3.13 %}<= 6.8.0{% elsif ghes = 3.12 %}<= 6.7.0{% else %}<= 4.8{% endif %} | +| pip| `pip` | v21.1.2 | +| pip-compile | `pip` | 6.1.0 | +| pipenv | `pip` | <= 2021-05-29 | +| pnpm | `npm` | v7, v8
v9 (version updates only) | +| poetry | `pip` | v1 | +| pub | `pub` | v2 | +| {% ifversion dependabot-updates-swift-support %} | +| Swift | `swift` | v5 | +| {% endif %} | +| Terraform | `terraform` | >= 0.13, <= 1.8.x | +| yarn | `npm` | v1, v2, v3 | + +## `pull-request-branch-name.separator` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify a separator to use when generating branch names. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Generate branch names of the form: `dependabot/PACKAGE_MANAGER/DEPENDENCY` + +When `pull-request-branch-name.separator` is defined: + +* Use the specified character in place of `/`. + +Supported values: `"-"`, `_`, `/` + +> [!TIP] +> The hyphen symbol must be escaped so it is not interpreted as starting an empty YAML list. + +## `rebase-strategy` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Disable automatic rebasing of pull requests raised by {% data variables.product.prodname_dependabot %}. + +{% data variables.product.prodname_dependabot %} default behavior is to rebase open pull requests when {% data variables.product.prodname_dependabot %} detects any changes to a version or security update pull request. {% data variables.product.prodname_dependabot %} checks for changes when: + +* Your schedule runs to check for version updates. +* You reopen a closed {% data variables.product.prodname_dependabot %} pull request. +* You change the value of `target-branch` in the {% data variables.product.prodname_dependabot %} configuration file, see [`target-branch`](#target-branch-). +* A {% data variables.product.prodname_dependabot %} pull request is in conflict after a recent push to the target branch. + +When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests. + +> [!NOTE] +> Pull requests that were open **before** you disable rebasing will continue to be rebased until 30 days after they were opened. This affects all pull requests that have conflicts with the target branch and all pull requests for version updates. + +## `registries` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Configure access to private package registries to allow {% data variables.product.prodname_dependabot %} to update a wider range of dependencies, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot). + +There are 2 locations in the `dependabot.yml` file where you can use the `registries` key: + +1. At the top level, where you define the private registries you want to use and their access information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). +1. Within the `updates` blocks, where you can specify which private registries each package manager should use. + +{% data variables.product.prodname_dependabot %} default behavior is to raise pull requests only to update dependencies stored in publicly accessible registries. + +When the {% data variables.product.prodname_dependabot %} configuration file has a top-level `registries` section, defining access to one or more private registries, you can configure each `package-ecosystem` to use one or more of these private registries. + +When `registries` is defined for a package manager: + +* Each private registry specified for a package manager is checked for version and security updates. +* {% data variables.product.prodname_dependabot %} uses the access details defined in the top-level `registries` section. + +Supported values: `REGISTRY_NAME` or `"*"` + +## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Pull requests are created without any reviewers assigned. + +When `reviewers` is defined: + +* {% octicon "versions" aria-hidden="true" %} All pull requests for version updates are created with the chosen reviewers. +* {% octicon "shield-check" aria-hidden="true" %} All pull requests for security updates are created with the chosen reviewers, unless `target-branch` defines updates to a non-default branch. + +Reviewers must have at least read access to the repository. + +## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %} + +**Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. {% ifversion dependabot-version-updates-groups %}For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).{% endif %} + +| Parameters | Purpose | +|------------|---------| +| `interval` | **Required.** Defines the frequency for {% data variables.product.prodname_dependabot %}. | +| `day` | Specify the day to run for a **weekly** interval. | +| `time` | Specify the time to run. | +| `timezone` | Specify the timezone of the `time` value. | + +### `interval` + +Supported values: `daily`, `weekly`, or `monthly` + +Each package manager **must** define a schedule interval. + +* Use `daily` to run on every weekday, Monday to Friday. +* Use `weekly` to run once a week, by default on Monday. +* Use `monthly` to run on the first day of each month. + +By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. You can use the `time` and `timezone` parameters to set a specific runtime for all intervals. + +### `day` + +Supported values: `monday`, `tuesday`, `wednesday`, `thursday`, `friday`, `saturday`, or `sunday` + +Optionally, run **weekly** updates for a package manager on a specific day of the week. + +### `time` + +Format: `hh:mm` + +Optionally, run all updates for a package manager at a specific time of day. By default, times are interpreted as UTC. + +### `timezone` + +Specify a time zone for the `time` value. + +The time zone identifier must match a timezone in the database maintained by [iana](https://www.iana.org/time-zones), see [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). + +## `target-branch` {% octicon "versions" aria-label="Version updates only" height="24" %} + +Define a specific branch to check for version updates and to target pull requests for version updates against. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). + +{% data variables.product.prodname_dependabot %} default behavior: + +* {% data variables.product.prodname_dependabot %} uses the default branch for the repository, see [About the default branch](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-the-default-branch). + +When `target-branch` is defined: + +* Only manifest files on the target branch are checked for version updates. +* All pull requests for version updates are opened targetting the specified branch. +* Options defined for this `package-ecosystem` no longer apply to security updates because security updates always use the default branch for the repository. + +## `vendor` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler` and `gomod` only. + +Tell {% data variables.product.prodname_dependabot %} to maintain your vendored dependencies as well as the dependencies defined by manifest files. A dependency is described as "vendored" or "cached" when you store the code within your repository, see [`bundle cache` documentation](https://bundler.io/man/bundle-cache.1.html) and [`go mod vendor` documentation](https://golang.org/ref/mod#go-mod-vendor). + +For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#updating-vendored-dependencies). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Maintain only dependencies recorded in the manifest and lock files identified for Bundler. +* Raise security and version update pull requests that update the version numbers recorded in the manifest and lock files. +* For Go modules, any vendored dependencies are automatically identified and maintained as if `vendor` was enabled. + +When `vendor` is enabled: + +* {% data variables.product.prodname_dependabot %} also maintains dependencies for Bundler that are stored in the `_vendor/cache_` directory in the repository. +* Pull requests will sometimes contain updates to a dependency that is stored in the repository. + +Supported values: `true` or `false` + +## `versioning-strategy` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} + +Supported by: `bundler`, `cargo`, `composer`, `mix`, `npm`, `pip`, `pub` + +Define how {% data variables.product.prodname_dependabot %} should edit manifest files. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-a-versioning-strategy). + +{% data variables.product.prodname_dependabot %} default behavior: + +* Try to differentiate between app and library dependencies. +* For apps, always increase the minimum version requirement to match the new version. The `increase` strategy. +* For libraries, widen the allowed version requirements to include both the new and old versions, when possible. The `widen` strategy. + +When `versioning-strategy` is defined, {% data variables.product.prodname_dependabot %} uses the strategy specified. + +| Value | Behavior | +|--------|--------| +| `auto` | Default behavior.| +| `increase`| Always increase the minimum version requirement to match the new version. If a range already exists, typically this only increases the lower bound. | +| `increase-if-necessary` | Leave the constraint if the original constraint allows the new version, otherwise, bump the constraint. | +| `lockfile-only` | Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. | +| `widen`| Widen the allowed version requirements to include both the new and old versions, when possible. Typically, this only increases the maximum allowed version requirement. | + +For example, if the current version is `1.0.0` and the current constraint is `^1.0.0` the different strategies would raise the following updates: + +New version `1.2.0` + +* `increase`: new constraint `^1.2.0` +* `increase-if-necessary`: new constraint `^1.0.0` +* `widen`: new constraint `^1.0.0` + +New version `2.0.0` + +* `increase`: new constraint `^2.0.0` +* `increase-if-necessary`: new constraint `^2.0.0 ` +* `widen`: new constraint `>=1.0.0 <3.0.0` + +> [!NOTE] +> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/. + +{% ifversion dependabot-updates-supported-versioning-tags %} + +### Versioning tags + +* Represent stages in the software release lifecycle, such as alpha, beta, and stable versions. +* Allow publishers to distribute their packages more effectively. +* Indicate the stability of a version and communicate what users should expect in terms of features and stability. + +{% data reusables.dependabot.dependabot-updates-supported-versioning-tags %} + +#### Versioning tag glossary + +* **`alpha`:** Early version, may be unstable and have incomplete features. +* **`beta`:** More stable than alpha but may still have bugs. +* **`canary`:** Regularly updated pre-release version for testing. +* **`dev`:** Represents development versions. +* **`experimental`:** Versions with experimental features. +* **`latest`:** The latest stable release. +* **`legacy`:** Older or deprecated versions. +* **`next`:** Upcoming release version. +* **`nightly`:** Versions built nightly; often includes the latest changes. +* **`rc`:** Release candidate, close to stable release. +* **`release`:** The official release version. +* **`stable`:** The most reliable, production-ready version. + +{% endif %} + +## Top-level `registries` key + +Specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries, including registries hosted by GitLab or Bitbucket. + +{% ifversion ghes %} + +> [!NOTE] +> Private registries behind firewalls on private networks are supported for the following ecosystems: +> +> * Bundler{% ifversion dependabot-updates-cargo-private-registry-support %} +> * Cargo{% endif %} +> * Docker +> * Gradle +> * Maven +> * Npm +> * NuGet{% ifversion dependabot-updates-pub-private-registry %} +> * Pub{% endif %} +> * Python +> * Yarn + +{% endif %} + +The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following `dependabot.yml` file configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file. + +{% raw %} + +```yaml copy +# Minimal settings to update dependencies stored in one private registry + +version: 2 +registries: + dockerhub: # Define access for a private registry + type: docker-registry + url: registry.hub.docker.com + username: octocat + password: ${{secrets.DOCKERHUB_PASSWORD}} +updates: + - package-ecosystem: "docker" + directory: "/docker-registry/dockerhub" + registries: + - dockerhub # Allow version updates for dependencies in this registry + schedule: + interval: "monthly" +``` + +{% endraw %} + +{% data reusables.dependabot.dependabot-updates-registries-options %} + +{% data reusables.dependabot.advanced-private-registry-config-link %} + +### `type` and authentication details + +The parameters used to provide authentication details for access to a private registry vary according to the registry `type`. + +| Registry `type` | Required authentication parameters | +|--|--| +| {% ifversion dependabot-updates-cargo-private-registry-support %} | +| `cargo-registry` | `token` | +| {% endif %} | +| `composer-repository` | `username` and `password` | +| `docker-registry` | `username` and `password` | +| `git` | `username` and `password` | +| `hex-organization` | `organization` and `key` | +| `hex-repository` | `repo` and `auth-key` optionally with the corresponding `public-key-fingerprint` | +| `maven-repository` | `username` and `password` | +| `npm-registry` | `username` and `password`
or `token` | +| `nuget-feed` | `username` and `password`
or `token` | +| `pub-registry` | `token` | +| `python-index` | `username` and `password`
or `token` | +| `rubygems-server` | `username` and `password`
or `token` | +| `terraform-registry` | `token` | + +All sensitive data used for authentication should be stored securely and referenced from that secure location, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). + +> [!TIP] +> {% data reusables.dependabot.password-definition %} + +### `url` and `replaces-base` + +The `url` parameter defines where to access a registry. When the optional `replaces-base` parameter is enabled (`true`), {% data variables.product.prodname_dependabot %} resolves dependencies using the value of `url` rather than the base URL of that specific ecosystem. diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index 4307c496ee0c..1a32f7edd28e 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -56,13 +56,13 @@ You'll also find recommendations for the setup of the following registry hosts: Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server). +You can authenticate with either a username and password, or a token. For more information, see `rubygems-server` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#rubygems-server). Snippet of a `dependabot.yml` file using a username and password. {% raw %} -```yaml +```yaml copy registries: ruby-example: type: rubygems-server @@ -77,7 +77,7 @@ The snippet of `dependabot.yml` file below uses a token. {% data reusables.depen {% raw %} -```yaml +```yaml copy registries: ruby-github: type: rubygems-server @@ -95,7 +95,7 @@ registries: ### Cargo -Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cargo-registry). +Cargo supports username, password and token-based authentication. For more information, see `cargo-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#cargo-registry). The snippet below shows a `dependabot.yml` file configuration that uses a token. @@ -105,13 +105,13 @@ The snippet below shows a `dependabot.yml` file configuration that uses a token. ### Docker -Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry). +Docker supports using a username and password for registries. For more information, see `docker-registry` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry). Snippet of `dependabot.yml` file using a username and password. {% raw %} -```yaml +```yaml copy registries: dockerhub: type: docker-registry @@ -126,7 +126,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: ecr-docker: type: docker-registry @@ -149,18 +149,20 @@ registries: * Dockerfiles may only receive a version update to the first `FROM` directive. * Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository. * {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository. +* Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository. +* {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository. ### Gradle -{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle). +{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#gradle). -Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Gradle supports the `maven-repository` registry type. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). The `maven-repository` type supports username and password. {% data reusables.dependabot.password-definition %} {% raw %} -```yaml +```yaml copy registries: gradle-artifactory: type: maven-repository @@ -184,11 +186,11 @@ updates: ### Maven -Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository). +Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). {% raw %} -```yaml +```yaml copy registries: maven-artifactory: type: maven-repository @@ -203,7 +205,7 @@ registries: {% raw %} -```yaml +```yaml copy version: 2 registries: maven-github: @@ -232,13 +234,13 @@ You can define the configuration in the `dependabot.yml` file using the `npm-reg #### Using the `npm-registry` type in the configuration file -You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +You can define the private registry configuration in a `dependabot.yml` file using the `npm-registry` type. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). The snippet of a `dependabot.yml` file below uses a token. {% data reusables.dependabot.token-is-github-pat %} {% raw %} -```yaml +```yaml copy registries: npm-github: type: npm-registry @@ -313,7 +315,7 @@ If you use a monorepo, the `.npmrc` file should live in the project's root direc You can configure {% data variables.product.prodname_dependabot %} to send all registry requests through a specified base URL. In order for {% data variables.product.prodname_dependabot %} to access a public dependency, the registry must either have a cloned copy of the dependency with the requested version, or allow traffic to fetch from a public registry if the dependency is not available. -If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +If there is no global registry defined in a `.npmrc` file, you can set `replaces-base` to `true` in the `dependabot.yml` file. For more information, see "`replaces-base`" in [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). #### Notes @@ -327,11 +329,11 @@ Registries should be configured using the `https` protocol. Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet. -The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed). +The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#nuget-feed). {% raw %} -```yaml +```yaml copy registries: nuget-example: type: nuget-feed @@ -344,7 +346,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -361,7 +363,7 @@ You can also use a token in your `dependabot.yml` file. {% data reusables.depend {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -375,11 +377,11 @@ registries: ### pub -You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pub-repository). +You can define the private registry configuration in a `dependabot.yml` file using the `pub-repository` type. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#pub-repository). {% raw %} -```yaml +```yaml copy registries: my-pub-registry: type: pub-repository @@ -410,11 +412,11 @@ pub supports URL and token authentication. The URL used for the registry should Supported by Artifactory, Azure Artifacts, Cloudsmith, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported. -The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index). +The `python-index` type supports username and password, or token. For more information, see `python-index` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#python-index). {% raw %} -```yaml +```yaml copy registries: python-example: type: python-index @@ -427,7 +429,7 @@ registries: {% raw %} -```yaml +```yaml copy registries: python-azure: type: python-index @@ -439,7 +441,7 @@ registries: {% endraw %} {% raw %} -```yaml +```yaml copy registries: python-gemfury: type: python-index @@ -457,11 +459,11 @@ registries: ### Yarn -The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry). +The Yarn registry uses a configuration similar to that of the npm registry. For more information, see "`npm-registry`" in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#npm-registry). {% raw %} -```yaml +```yaml copy registries: yarn-github: type: npm-registry @@ -481,7 +483,7 @@ You can either specify the private registry configuration in the `dependabot.yml ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +You can define the private registry configuration in your `dependabot.yml` file. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). To ensure that the private registry is listed as the dependency source in the project's `yarn.lock` file, you need to run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -518,7 +520,7 @@ As with Yarn Classic, you can either specify the private registry configuration ##### Defining the private registry configuration in the `dependabot.yml` file -You can define the private registry configuration in your `dependabot.yml` file. For more information, see "Configuration options for private registries" in [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +You can define the private registry configuration in your `dependabot.yml` file. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the resolved field to include the private registry URL. @@ -609,7 +611,7 @@ Example of Azure Artifacts registry: {% raw %} -```yaml +```yaml copy registries: nuget-azure-devops: type: nuget-feed @@ -642,7 +644,7 @@ For information about {% data variables.product.prodname_registry %} registries, {% raw %} -```yaml +```yaml copy registries: github: type: npm-registry @@ -670,7 +672,7 @@ Example of Nexus registry: {% raw %} -```yaml +```yaml copy registries: npm-nexus: type: npm-registry @@ -690,7 +692,7 @@ If you are restricting which IPs can reach your Nexus host, you need to add the * "3.217.93.44/32" For more information, see [Securing Nexus Repository Manager](https://help.sonatype.com/repomanager3/planning-your-implementation/securing-nexus-repository-manager) in the Sonatype documentation. - Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries). + Registries can be proxied to reach out to a public registry in case a dependency is not available in the private registry. However, you may want {% data variables.product.prodname_dependabot %} to only access the private registry and not access the public registry at all. For more information, see [Quick Start Guide - Proxying Maven and NPM](https://help.sonatype.com/repomanager3/planning-your-implementation/quick-start-guide---proxying-maven-and-npm) in the Sonatype documentation, and [AUTOTITLE](/code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries). ### ProGet @@ -700,7 +702,7 @@ Example of ProGet registry configuration for a NuGet feed: {% raw %} -```yaml +```yaml copy registries: proget-nuget-feed: type: nuget-feed @@ -714,7 +716,7 @@ Example of ProGet registry configuration for Bundler (rubygems): {% raw %} -```yaml +```yaml copy registries: proget-gems-feed: type: rubygems-server @@ -728,7 +730,7 @@ Example of ProGet registry configuration for Python (PyPI): {% raw %} -```yaml +```yaml copy registries: proget-python-feed: type: python-index diff --git a/content/code-security/dependabot/working-with-dependabot/index.md b/content/code-security/dependabot/working-with-dependabot/index.md index d17916c3392e..168fdf6dfd63 100644 --- a/content/code-security/dependabot/working-with-dependabot/index.md +++ b/content/code-security/dependabot/working-with-dependabot/index.md @@ -16,14 +16,9 @@ topics: children: - /managing-pull-requests-for-dependency-updates - /about-dependabot-on-github-actions-runners - - /managing-dependabot-on-self-hosted-runners - /automating-dependabot-with-github-actions - /keeping-your-actions-up-to-date-with-dependabot - /configuring-access-to-private-registries-for-dependabot - /guidance-for-the-configuration-of-private-registries-for-dependabot - - /removing-dependabot-access-to-public-registries - - /viewing-dependabot-job-logs - - /troubleshooting-the-detection-of-vulnerable-dependencies - - /troubleshooting-dependabot-errors - - /troubleshooting-dependabot-on-github-actions + - /dependabot-options-reference --- diff --git a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md index ee2fcfd2610e..ee3124491815 100644 --- a/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md @@ -55,7 +55,7 @@ You can also enable {% data variables.product.prodname_dependabot_version_update The example `dependabot.yml` file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"weekly"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot %} will continue to check for outdated versions of actions once a week. -```yaml +```yaml copy # Set update schedule for GitHub Actions version: 2 @@ -70,7 +70,7 @@ updates: ## Configuring {% data variables.product.prodname_dependabot_version_updates %} for actions -When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +When enabling {% data variables.product.prodname_dependabot_version_updates %} for actions, you must specify values for `package-ecosystem`, `directory`, and `schedule.interval`. There are many more optional properties that you can set to further customize your version updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). ## Further reading diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index c13f079b85a3..5ff9828d0b76 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -30,7 +30,7 @@ shortTitle: Manage Dependabot PRs When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. {% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% endif %} -If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %} +If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs){% ifversion dependabot-grouped-security-updates-config %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).{% else %} and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request).{% endif %} > [!NOTE] > If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates). @@ -45,7 +45,7 @@ If you have many dependencies to manage, you may want to customize the configura ## Changing the rebase strategy for {% data variables.product.prodname_dependabot %} pull requests -By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy). +By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% data reusables.dependabot.pull-requests-30-days-cutoff %} If you'd prefer to handle merge conflicts manually, you can disable this using the `rebase-strategy` option. For details, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#rebase-strategy). ## Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits @@ -74,7 +74,7 @@ You can use any of the following commands on a {% data variables.product.prodnam If you run any of the commands for ignoring dependencies or versions, {% data variables.product.prodname_dependabot %} stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically. -For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore). +For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore). {% ifversion dependabot-grouped-security-updates-config %} diff --git a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md deleted file mode 100644 index 20f6ac748896..000000000000 --- a/content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-on-github-actions.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Troubleshooting Dependabot on GitHub Actions -intro: 'This article provides troubleshooting information for issues you may encounter when using {% data variables.product.prodname_dependabot %} with {% data variables.product.prodname_actions %}.' -versions: - fpt: '*' - ghec: '*' -type: how_to -topics: - - Actions - - Dependabot - - Version updates - - Security updates - - Repositories - - Dependencies - - Pull requests -shortTitle: Troubleshoot Dependabot on Actions ---- - -## Troubleshooting failures when {% data variables.product.prodname_dependabot %} triggers existing workflows - -{% data reusables.dependabot.dependabot-on-actions-troubleshooting-workflows %} For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions). diff --git a/content/code-security/getting-started/dependabot-quickstart-guide.md b/content/code-security/getting-started/dependabot-quickstart-guide.md index 8eb370496c22..38980312f5c9 100644 --- a/content/code-security/getting-started/dependabot-quickstart-guide.md +++ b/content/code-security/getting-started/dependabot-quickstart-guide.md @@ -108,7 +108,7 @@ You can fix or dismiss {% data variables.product.prodname_dependabot_alerts %} o * Go back to the alert details page. * On the top-right corner, click **Dismiss alert**. - ![Screenshot of the alert details page with the **Dismiss alert** button, dropdown menu options, and dismissal comment box highlighted with a dark orange outline.](/assets/images/help/repository/dismiss-alert-demo-repo.png) + ![Screenshot of the alert details page with the **Dismiss alert** button, dropdown menu options, and dismissal comment box outlined in orange.](/assets/images/help/repository/dismiss-alert-demo-repo.png) * Select a reason for dismissing the alert. * Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. @@ -122,7 +122,7 @@ You may need to do some troubleshooting if: * {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix an alert, or * The information reported by {% data variables.product.prodname_dependabot %} is not what you expect. -For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies), respectively. +For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors) and [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies), respectively. ## Next steps diff --git a/content/code-security/index.md b/content/code-security/index.md index c18e6d121aac..7484549c0087 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -11,20 +11,20 @@ featuredLinks: startHere: - /code-security/getting-started/quickstart-for-securing-your-repository - '{% ifversion fpt or ghec %}/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory{% endif %}' - - '/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning' + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning guideCards: - /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates - /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - - '/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning' + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning - /code-security/supply-chain-security/end-to-end-supply-chain/end-to-end-supply-chain-overview popular: - '{% ifversion ghes %}/admin/release-notes{% endif %}' - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities - /code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot - - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + - /code-security/dependabot/working-with-dependabot/dependabot-options-reference - /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot - - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + - /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies changelog: label: security-and-compliance versions: diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 6cfd8f06d673..3b47a9f10b09 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -43,7 +43,7 @@ For more information on {% data variables.dependabot.auto_triage_rules %}, see [ ### Grouping {% data variables.product.prodname_dependabot_security_updates %} -{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request to reduce noise. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). +{% data variables.product.prodname_dependabot %} can group all automatically suggested security updates into a single pull request. To enable grouped security updates, select **Grouped security updates**. For more information about grouped updates and customization options, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request). {% ifversion dependabot-on-actions-opt-in %} diff --git a/content/code-security/securing-your-organization/index.md b/content/code-security/securing-your-organization/index.md index 2898e1144a94..07ddc6ed0295 100644 --- a/content/code-security/securing-your-organization/index.md +++ b/content/code-security/securing-your-organization/index.md @@ -1,9 +1,11 @@ --- title: Securing your organization shortTitle: Secure your organization -intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}.' +intro: 'Secure your organization at scale with {% data variables.product.company_short %}''s security products{% ifversion security-configurations %} through {% data variables.product.prodname_security_configurations %} and {% data variables.product.prodname_global_settings %}{% endif %}.' versions: - feature: security-configurations + fpt: '*' + ghec: '*' + ghes: '*' topics: - Advanced Security - Organizations diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 4ae79f724d8f..e584a52ff3bf 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -77,4 +77,4 @@ You can use the dependency graph to: * [Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph) on Wikipedia * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md index c299bd56dfed..f908005681a5 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph.md @@ -63,4 +63,4 @@ When the dependency graph is first enabled, any manifest and lock files for supp {%- ifversion ghec %} * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){%- endif %} * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md index b68ad1de67ec..f2559e100ed6 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md @@ -67,5 +67,5 @@ Yes, the dependency graph has {% ifversion dependency-graph-repository-view-upda * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) * [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) -* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies) +* [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors) diff --git a/content/contributing/style-guide-and-content-model/style-guide.md b/content/contributing/style-guide-and-content-model/style-guide.md index 11a637691e51..93216c14306d 100644 --- a/content/contributing/style-guide-and-content-model/style-guide.md +++ b/content/contributing/style-guide-and-content-model/style-guide.md @@ -343,11 +343,11 @@ If an article has headers, the headers must start with an H2 level header. You c TEXT ### SUBHEADER (H3) - + TEXT #### SUBHEADER (H4) - + TEXT ``` @@ -365,15 +365,15 @@ Each header at the same level on a page must be unique. ```markdown ## Examples (H2) - + TEXT ### Prompts for writing code (H3) - + TEXT ### Prompts for writing tests (H3) - + TEXT ``` @@ -381,19 +381,19 @@ Each header at the same level on a page must be unique. ```markdown ## Prompts for writing code (H2) - + TEXT ### Example (H3) - + TEXT ## Prompts for writing tests (H2) - + TEXT ### Example (H3) - + TEXT ``` @@ -401,15 +401,15 @@ Each header at the same level on a page must be unique. ```markdown ## Example prompts (H2) - + TEXT ### Example (H3) - + TEXT ### Example (H3) - + TEXT ``` @@ -1380,7 +1380,7 @@ All columns in a table should be left-aligned, except for columns containing onl Table content is left-aligned by default. Use Markdown table formatting, colons (`:`) to either the right or left of the dashes in the header row, to specify the alignment of each column. Read [AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/organizing-information-with-tables#formatting-content-within-your-table) for more information. -The following example shows part of a table from [AUTOTITLE](/free-pro-team@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file). +The following example shows part of a table from [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md index 79ee7a2a76aa..167f5fe79472 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md @@ -66,7 +66,7 @@ You can use security overview to find a set of repositories and enable or disabl 1. Review the information in the dialog box. 1. Optionally, if you are enabling private vulnerability reporting, dependency graph, or {% data variables.product.prodname_dependabot %}, select **Enable by default for new repositories**. - ![Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option highlighted with a dark orange outline.](/assets/images/help/organizations/security-and-analysis-enable-by-default-in-modal.png) + ![Screenshot of the "Enable FEATURE" modal dialog, with the "Enable by default for new private repositories" option outlined in orange.](/assets/images/help/organizations/security-and-analysis-enable-by-default-in-modal.png) 1. When you are ready to make the changes, click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization. 1. Optionally, in your feature's section of the security and analysis settings, select additional enablement settings. Additional enablement settings may include: @@ -92,7 +92,7 @@ You can use security overview to find a set of repositories and enable or disabl By default, {% data variables.product.prodname_dependabot %} can't update dependencies that are located in private{% ifversion ghec or ghes %} or internal{% endif %} repositories, or private{% ifversion ghec or ghes %} or internal{% endif %} package registries. However, if a dependency is in a private{% ifversion ghec or ghes %} or internal{% endif %} {% data variables.product.prodname_dotcom %} repository within the same organization as the project that uses that dependency, you can allow {% data variables.product.prodname_dependabot %} to update the version successfully by giving it access to the host repository. -If your code depends on packages in a private{% ifversion ghec or ghes %} or internal{% endif %} registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the `dependabot.yml` file for the repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries). +If your code depends on packages in a private{% ifversion ghec or ghes %} or internal{% endif %} registry, you can allow {% data variables.product.prodname_dependabot %} to update the versions of these dependencies by configuring this at the repository level. You do this by adding authentication details to the `dependabot.yml` file for the repository. For more information, see [Top-level `registries` key](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#top-level-registries-key). {% ifversion ghec %} @@ -112,7 +112,7 @@ To allow {% data variables.product.prodname_dependabot %} to access a private or 1. Go to the security and analysis settings for your organization. For more information, see [Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings). 1. Under "Grant {% data variables.product.prodname_dependabot %} private repository access", click **Add internal and private repositories** to display a repository search field. - ![Screenshot of the dropdown that you can use to search for repositories. As you type, repositories whose name matches your search criteria will appear in the list. The search text field is highlighted with a dark orange outline.](/assets/images/help/organizations/dependabot-private-repo-choose.png) + ![Screenshot of the search dropdown. As you type, repository names that match your search are shown. The search text field is outlined in orange.](/assets/images/help/organizations/dependabot-private-repo-choose.png) 1. Start typing the name of the repository you want to grant {% data variables.product.prodname_dependabot %} access to. 1. A list of matching repositories in the organization is displayed, click the repository you want to allow access to and this adds the repository to the allowed list. diff --git a/data/learning-tracks/code-security.yml b/data/learning-tracks/code-security.yml index 3da10a960931..fbe340ca1d74 100644 --- a/data/learning-tracks/code-security.yml +++ b/data/learning-tracks/code-security.yml @@ -54,9 +54,9 @@ dependabot_alerts: - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors dependabot_security_updates: title: Get pull requests to update your vulnerable dependencies description: >- @@ -74,7 +74,7 @@ dependabot_security_updates: - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies dependency_version_updates: title: Keep your dependencies up-to-date description: >- @@ -86,25 +86,25 @@ dependency_version_updates: - >- /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates - >- - /code-security/dependabot/dependabot-version-updates/customizing-dependency-updates + /code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs - >- - /code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + /code-security/dependabot/working-with-dependabot/dependabot-options-reference - >- /code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot - >- /code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions - >- - /code-security/dependabot/dependabot-version-updates/listing-dependencies-configured-for-version-updates + /code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates - >- /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot - >- /code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot - >- - /code-security/dependabot/working-with-dependabot/removing-dependabot-access-to-public-registries + /code-security/dependabot/maintain-dependencies/removing-dependabot-access-to-public-registries - >- /code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates - >- - /code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors + /code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors secret_scanning: title: Scan for secrets description: >- diff --git a/data/release-notes/enterprise-server/3-11/0-rc1.yml b/data/release-notes/enterprise-server/3-11/0-rc1.yml index b379a86575ad..e62559525182 100644 --- a/data/release-notes/enterprise-server/3-11/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-11/0-rc1.yml @@ -119,7 +119,7 @@ sections: # https://github.com/github/releases/issues/3363 # https://github.com/github/releases/issues/3364 - | - To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). # https://github.com/github/releases/issues/3270 # https://github.com/github/releases/issues/3271 diff --git a/data/release-notes/enterprise-server/3-11/0.yml b/data/release-notes/enterprise-server/3-11/0.yml index 40f2a2feb851..9eb20e1c2e0c 100644 --- a/data/release-notes/enterprise-server/3-11/0.yml +++ b/data/release-notes/enterprise-server/3-11/0.yml @@ -113,7 +113,7 @@ sections: # https://github.com/github/releases/issues/3363 # https://github.com/github/releases/issues/3364 - | - To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). + To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in `dependabot.yml`. You can also control Dependabot's behavior for groups using comment commands. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands). # https://github.com/github/releases/issues/3270 # https://github.com/github/releases/issues/3271 diff --git a/data/release-notes/enterprise-server/3-12/0-rc1.yml b/data/release-notes/enterprise-server/3-12/0-rc1.yml index b086b2c793cc..1f5ab03b78bf 100644 --- a/data/release-notes/enterprise-server/3-12/0-rc1.yml +++ b/data/release-notes/enterprise-server/3-12/0-rc1.yml @@ -65,7 +65,8 @@ sections: notes: # https://github.com/github/releases/issues/3458 - | - To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). + To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). + # https://github.com/github/releases/issues/3091 - | Users can choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in repositories or organizations. Auto-triage rules provide control over whether an alert is ignored, is snoozed, or triggers a pull request for a security update. Users can also use a rule created by GitHub to automatically dismiss low-impact issues in npm dependencies. Auto-triage rules are in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). diff --git a/data/release-notes/enterprise-server/3-12/0.yml b/data/release-notes/enterprise-server/3-12/0.yml index df5b028767a9..f075f7afe759 100644 --- a/data/release-notes/enterprise-server/3-12/0.yml +++ b/data/release-notes/enterprise-server/3-12/0.yml @@ -68,7 +68,8 @@ sections: notes: # https://github.com/github/releases/issues/3458 - | - To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/viewing-dependabot-job-logs). + To debug issues with Dependabot, users can view logs for Dependabot job runs associated with version updates, security updates, and rebase updates. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/viewing-dependabot-job-logs). + # https://github.com/github/releases/issues/3091 - | Users can choose how to respond to Dependabot alerts automatically by setting up custom auto-triage rules in repositories or organizations. Auto-triage rules provide control over whether an alert is ignored, is snoozed, or triggers a pull request for a security update. Users can also use a rule created by GitHub to automatically dismiss low-impact issues in npm dependencies. Auto-triage rules are in public beta and subject to change. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules). diff --git a/data/release-notes/enterprise-server/3-14/0.yml b/data/release-notes/enterprise-server/3-14/0.yml index 1ac4db753bf3..1f83264a018e 100644 --- a/data/release-notes/enterprise-server/3-14/0.yml +++ b/data/release-notes/enterprise-server/3-14/0.yml @@ -108,7 +108,7 @@ sections: Dependabot uses private registry configurations specified in the `dependabot.yml` file as expected, even if there is a configuration with `target-branch`. This ensures that security updates are applied correctly, regardless of your repository's configuration settings. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). # https://github.com/github/releases/issues/4118 - | - In the `dependabot.yml` file, users can apply the same configuration to manifest files from multiple directories using the `directories` key. Direct strings, glob syntax, and wildcards (`*`) are all supported for targeting directories. See [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories). [Updated: 2024-10-07] + In the `dependabot.yml` file, users can apply the same configuration to manifest files from multiple directories using the `directories` key. Direct strings, glob syntax, and wildcards (`*`) are all supported for targeting directories. See [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories). [Updated: 2024-10-07] - heading: Code security notes: diff --git a/data/reusables/actions/dependabot-version-updates-actions-caveats.md b/data/reusables/actions/dependabot-version-updates-actions-caveats.md index a8eb2c49f42d..09462d310b06 100644 --- a/data/reusables/actions/dependabot-version-updates-actions-caveats.md +++ b/data/reusables/actions/dependabot-version-updates-actions-caveats.md @@ -1,3 +1,3 @@ * {% data variables.product.prodname_dependabot %} only supports updates to {% data variables.product.prodname_actions %} using the {% data variables.product.prodname_dotcom %} repository syntax, such as `{% data reusables.actions.action-checkout %}`. {% data variables.product.prodname_dependabot %} will ignore actions or reusable workflows referenced locally (for example, `./.github/actions/foo.yml`). * Docker Hub and {% data variables.product.prodname_registry %} {% data variables.product.prodname_container_registry %} URLs are currently not supported. For example, references to Docker container actions using `docker://` syntax aren't supported. -* {% data variables.product.prodname_dependabot %} supports both public and private repositories for {% data variables.product.prodname_actions %}. For private registry configuration options, see "`git`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git)." +* {% data variables.product.prodname_dependabot %} supports both public and private repositories for {% data variables.product.prodname_actions %}. For private registry configuration options, see "`git`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git)." diff --git a/data/reusables/dependabot/automatic-deactivation-link.md b/data/reusables/dependabot/automatic-deactivation-link.md new file mode 100644 index 000000000000..5d0efc38c356 --- /dev/null +++ b/data/reusables/dependabot/automatic-deactivation-link.md @@ -0,0 +1 @@ +When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped). diff --git a/data/reusables/dependabot/automatically-pause-dependabot-updates.md b/data/reusables/dependabot/automatically-pause-dependabot-updates.md index 3a3a1c08efc2..107f9f55e9a9 100644 --- a/data/reusables/dependabot/automatically-pause-dependabot-updates.md +++ b/data/reusables/dependabot/automatically-pause-dependabot-updates.md @@ -1,4 +1,4 @@ -When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. This automatic opt-out behavior reduces noise because {% data variables.product.prodname_dependabot %} doesn't create pull requests for version and security updates, and doesn't rebase {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. +When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. This automatic opt-out behavior means that {% data variables.product.prodname_dependabot %} no longer creates pull requests for version and security updates, and no longer rebases {% data variables.product.prodname_dependabot %} pull requests for inactive repositories. The automatic deactivation of {% data variables.product.prodname_dependabot %} updates only applies to repositories where {% data variables.product.prodname_dependabot %} has opened pull requests but the pull requests remain untouched. If {% data variables.product.prodname_dependabot %} hasn't opened any pull requests, {% data variables.product.prodname_dependabot %} will never become paused. diff --git a/data/reusables/dependabot/configuration-options.md b/data/reusables/dependabot/configuration-options.md index 9b630ce68efd..45f4d56cfde2 100644 --- a/data/reusables/dependabot/configuration-options.md +++ b/data/reusables/dependabot/configuration-options.md @@ -1,30 +1,30 @@ | Option | Required | Security Updates | Version Updates | Description | |:---|:---:|:---:|:---:|:---| -| [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Package manager to use | -| [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests | +| [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Package manager to use | +| [`directory`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directory) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests | | {% ifversion dependabot-updates-multidirectory-support %} | -| [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Locations of package manifests (multiple directories) | +| [`directories`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories) | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Locations of package manifests (multiple directories) | | {% endif %} | -| [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | How often to check for updates | -| [`allow`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Customize which updates are allowed | -| [`assignees`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Assignees to set on pull requests | -| [`commit-message`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#commit-message) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Commit message preferences | -| [`enable-beta-ecosystems`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#enable-beta-ecosystems) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Enable ecosystems that have {% data variables.release-phases.public_preview %}-level support | +| [`schedule.interval`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduleinterval) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | How often to check for updates | +| [`allow`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Customize which updates are allowed | +| [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Assignees to set on pull requests | +| [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Commit message preferences | +| [`enable-beta-ecosystems`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#enable-beta-ecosystems) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Enable ecosystems that have {% data variables.release-phases.public_preview %}-level support | | {% ifversion dependabot-version-updates-groups %} | -| [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-grouped-security-updates-config %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "check" aria-label="Supported" %} | Group updates for certain dependencies | +| [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-grouped-security-updates-config %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "check" aria-label="Supported" %} | Group updates for certain dependencies | | {% endif %} | -| [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | {% octicon "x" aria-label="Not supported" %} | See [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | See [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) | Ignore certain dependencies or versions | -| [`insecure-external-code-execution`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#insecure-external-code-execution) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Allow or deny code execution in manifest files | -| [`labels`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#labels) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Labels to set on pull requests | -| [`milestone`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#milestone) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Milestone to set on pull requests | +| [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | {% octicon "x" aria-label="Not supported" %} | See [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | See [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) | Ignore certain dependencies or versions | +| [`insecure-external-code-execution`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#insecure-external-code-execution) | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Allow or deny code execution in manifest files | +| [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Labels to set on pull requests | +| [`milestone`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#milestone) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Milestone to set on pull requests | | [`open-pull-requests-limit`](#open-pull-requests-limit) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Limit number of open pull requests for version updates | -| [`pull-request-branch-name.separator`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#pull-request-branch-nameseparator) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Change separator for pull request branch names | -| [`rebase-strategy`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Disable automatic rebasing | -| [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access| -| [`reviewers`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Reviewers to set on pull requests | -| [`schedule.day`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Day of week to check for updates | -| [`schedule.time`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduletime) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Time of day to check for updates (hh:mm) | -| [`schedule.timezone`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduletimezone) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Timezone for time of day (zone identifier) | -| [`target-branch`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Branch to create pull requests against | -| [`vendor`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#vendor) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Update vendored or cached dependencies | -| [`versioning-strategy`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | How to update manifest version requirements | +| [`pull-request-branch-name.separator`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-nameseparator) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Change separator for pull request branch names | +| [`rebase-strategy`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#rebase-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Disable automatic rebasing | +| [`registries`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#registries) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Private registries that {% data variables.product.prodname_dependabot %} can access| +| [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Reviewers to set on pull requests | +| [`schedule.day`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduleday) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Day of week to check for updates | +| [`schedule.time`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduletime) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Time of day to check for updates (hh:mm) | +| [`schedule.timezone`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#scheduletimezone) | {% octicon "x" aria-label="Not supported" %}| {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Timezone for time of day (zone identifier) | +| [`target-branch`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#target-branch) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Branch to create pull requests against | +| [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Update vendored or cached dependencies | +| [`versioning-strategy`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy) | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | How to update manifest version requirements | diff --git a/data/reusables/dependabot/default-labels.md b/data/reusables/dependabot/default-labels.md index 9294fb86c13e..000db286ca49 100644 --- a/data/reusables/dependabot/default-labels.md +++ b/data/reusables/dependabot/default-labels.md @@ -1 +1,5 @@ -By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. +By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. + +If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request, which indicates which language or ecosystem the pull request updates. For example, adding `java` for Gradle updates, or `submodules` for git submodule updates. + +{% data variables.product.prodname_dependabot %} creates the default labels it applies to pull requests if they do not already exist in the repository. If you want to use custom labels, you need to create these yourself. For more information, see: [AUTOTITLE](/issues/using-labels-and-milestones-to-track-work/managing-labels). diff --git a/data/reusables/dependabot/dependabot-ignore-dependencies.md b/data/reusables/dependabot/dependabot-ignore-dependencies.md index 46e2514f3715..f6093d36d69f 100644 --- a/data/reusables/dependabot/dependabot-ignore-dependencies.md +++ b/data/reusables/dependabot/dependabot-ignore-dependencies.md @@ -1,4 +1,4 @@ If you want to ignore updates for the dependency, you must do one of the following. -* Configure an `ignore` rule for the dependency in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore)." +* Configure an `ignore` rule for the dependency in the `dependabot.yml` file. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore)." * Use the `@dependabot ignore` comment command for the dependency in the pull request for the grouped updates. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-for-grouped-{% ifversion dependabot-grouped-security-updates-config %}{% else %}version-{% endif %}updates-with-comment-commands)." diff --git a/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md b/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md index b557e5b47bfa..9107da907c7b 100644 --- a/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md +++ b/data/reusables/dependabot/dependabot-on-actions-self-hosted-link.md @@ -1,3 +1,3 @@ {% ifversion dependabot-on-actions-self-hosted %} -To have greater control over {% data variables.product.prodname_dependabot %}'s access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" and "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-dependabot-on-self-hosted-runners)." +To have greater control over {% data variables.product.prodname_dependabot %}'s access to your private registries and internal network resources, you can configure {% data variables.product.prodname_dependabot %} to run on {% data variables.product.prodname_actions %} self-hosted runners. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners)" and "[AUTOTITLE](/code-security/dependabot/maintain-dependencies/managing-dependabot-on-self-hosted-runners)." {% endif %} diff --git a/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md index 72659bdb4c64..f2dd5ede3d30 100644 --- a/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md +++ b/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md @@ -4,6 +4,6 @@ By default, {% data variables.product.prodname_actions %} workflow runs that are There are three ways to resolve this problem: -1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see "[AUTOTITLE](/actions/learn-github-actions/expressions)." -1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events)." +1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). +1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). 1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`. diff --git a/data/reusables/dependabot/dependabot-updates-registries-options.md b/data/reusables/dependabot/dependabot-updates-registries-options.md index 61288fd2917d..d6461390a2d6 100644 --- a/data/reusables/dependabot/dependabot-updates-registries-options.md +++ b/data/reusables/dependabot/dependabot-updates-registries-options.md @@ -1,11 +1,9 @@ You use the following options to specify access settings. Registry settings must contain a `type` and a `url`, and typically either a `username` and `password` combination or a `token`. -| Option                 | Description | +| Parameters | Purpose | |:---|:---| -| `type` | Identifies the type of registry. For more information about the available registry types, see "[`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries)." For further details about the configuration of private registries specifically, see "[Configuration options for private registries](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)."| -| `url` | The URL to use to access the dependencies in this registry. The protocol is optional. If not specified, `https://` is assumed. {% data variables.product.prodname_dependabot %} adds or ignores trailing slashes as required. | -| `username` | The username that {% data variables.product.prodname_dependabot %} uses to access the registry.
`username` is the username or email address for the account. | -| `password` | A reference to a {% data variables.product.prodname_dependabot %} secret containing the password for the specified user. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."
`password` is the password for the account specified by the username. {% data reusables.dependabot.password-definition %} | -| `key` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access key for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)." | -| `token` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access token for this registry. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)."
`token` is used to provide an access token for an external system and should not be used to provide a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}. If you want to use a {% data variables.product.prodname_dotcom %} {% data variables.product.pat_generic %}, you should supply it as a password. | -| `replaces-base` | For registries, if the boolean value is `true`, {% data variables.product.prodname_dependabot %} will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). | +| `REGISTRY_NAME` | **Required:** Defines an identifier for the registry. | +| `type` | **Required:** Identifies the type of registry.| +| Authentication details | **Required:** The parameters supported for supplying authentication details vary for registries of different types. | +| `url` | **Required:** The URL to use to access the dependencies in this registry. The protocol is optional. If not specified, `https://` is assumed. {% data variables.product.prodname_dependabot %} adds or ignores trailing slashes as required. | +| `replaces-base` | If the boolean value is `true`, {% data variables.product.prodname_dependabot %} resolves dependencies using the specified `url` rather than the base URL of that ecosystem. | diff --git a/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md b/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md index 8c6d05c7a7a8..7665a7cd2137 100644 --- a/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md +++ b/data/reusables/dependabot/dependabot-updates-supported-versioning-tags.md @@ -1,6 +1,6 @@ {% data variables.product.prodname_dependabot %} recognizes a variety of versioning tags for pre-releases, stable versions, and custom tags across different ecosystems. -The `dependabot.yml` file doesn't control the versioning tags that you can use, but you can define in configuration options such as [`ignore`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) the supported versioning tags you want to ignore updates for. +The `dependabot.yml` file doesn't control the versioning tags that you can use, but you can define in configuration options such as [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore) the supported versioning tags you want to ignore updates for. #### Supported versioning tags diff --git a/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md b/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md index 022e01b0423d..0d567ae9d4ea 100644 --- a/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md +++ b/data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md @@ -1,35 +1,45 @@ -#### Example 1 +### Example 1: Three version update groups -The `dependabot.yml` file configuration uses `patterns` and `dependency-type` options to include specific dependencies in the group, and `exclude-patterns` to exclude a dependency (or multiple dependencies) from the group.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule defaults to applying to version updates only, since the `applies-to` key is absent.{% endif %} +In this example, the `dependabot.yml` file: +* Creates three groups, called "`production-dependencies`", "`development-dependencies`", and "`rubocop`". +* Uses `patterns` and `dependency-type` to include dependencies in the group. +* Uses `exclude-patterns` to exclude a dependency (or multiple dependencies) from the group. ```yaml -# `dependabot.yml` file using the `dependency-type` option to group updates -# in conjunction with `patterns` and `exclude-patterns`. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules default to applying to version updates only, since -# the `applies-to` key is absent.{%- endif %} - -groups: - production-dependencies: - dependency-type: "production" - development-dependencies: - dependency-type: "development" - exclude-patterns: - - "rubocop*" - rubocop: - patterns: - - "rubocop*" +version: 2 +updates: + # Keep bundler dependencies up to date + - package-ecosystem: "bundler" + directory: "/" + schedule: + interval: "weekly" + groups: + production-dependencies: + dependency-type: "production" + development-dependencies: + dependency-type: "development" + exclude-patterns: + - "rubocop*" + rubocop: + patterns: + - "rubocop*" ``` -#### Example 2 +As a result: +* Version updates are grouped by dependency type. +* Development dependencies matching the pattern `rubocop*` are excluded from the `development-dependencies` group. +* Instead, development dependencies matching `rubocop*` will be included in the `rubocop` group. Due to the ordering, production dependencies matching `rubocop*` will be included in the `production-dependencies` group.{% ifversion dependabot-grouped-security-updates-config %} +* In addition, all groups default to applying to version updates only, since the `applies-to` key is absent.{% endif %} -A `dependabot.yml` file with a customized Bundler configuration, which has been modified to create a group of dependencies. The configuration specifies `patterns` (strings of characters) that match with the name of a dependency (or multiple dependencies) in order to include the dependencies in the group.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule applies to version updates only, since `applies-to: version-updates` is used.{% endif %} +### Example 2: Grouped updates with excluded dependencies -```yaml -# `dependabot.yml` file with customized Bundler configuration -# In this example, the name of the group is `dev-dependencies`, and -# only the `patterns` and `exclude-patterns` options are used. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules apply to version updates only.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates a group called "`support-dependencies`", as part of a customized Bundler configuration. +* Uses `patterns` that match with the name of a dependency (or multiple dependencies) to include dependencies in the group. +* Uses `exclude-patterns` that match with the name of a dependency (or multiple dependencies) to exclude dependencies from the group. {% ifversion dependabot-grouped-security-updates-config %} +* Applies the grouping to version updates only, since `applies-to: version-updates` is used.{% endif %} +```yaml version: 2 updates: # Keep bundler dependencies up to date @@ -43,34 +53,38 @@ updates: interval: "weekly" # Create a group of dependencies to be updated together in one pull request groups: - # Specify a name for the group, which will be used in pull request titles - # and branch names - dev-dependencies: - # Define patterns to include dependencies in the group (based on - # dependency name){% ifversion dependabot-grouped-security-updates-config %} - applies-to: version-updates # Applies the group rule to version updates{%- endif %} - patterns: - - "rubocop" # A single dependency name - - "rspec*" # A wildcard string that matches multiple dependency names - - "*" # A wildcard that matches all dependencies in the package - # ecosystem. Note: using "*" may open a large pull request - # Define patterns to exclude dependencies from the group (based on - # dependency name) - exclude-patterns: - - "gc_ruboconfig" - - "gocardless-*" + # Specify a name for the group, which will be used in pull request titles + # and branch names + support-dependencies: + # Define patterns to include dependencies in the group (based on + # dependency name){% ifversion dependabot-grouped-security-updates-config %} + applies-to: version-updates # Applies the group rule to version updates{%- endif %} + patterns: + - "rubocop" # A single dependency name + - "rspec*" # A wildcard string that matches multiple dependency names + - "*" # A wildcard that matches all dependencies in the package + # ecosystem. Note: using "*" may open a large pull request + # Define patterns to exclude dependencies from the group (based on + # dependency name) + exclude-patterns: + - "gc_ruboconfig" + - "gocardless-*" ``` -#### Example 3 +As a result: +* The majority of dependencies for bundler are consolidated into the `support-dependencies` group due to the wildcard ("*") pattern, apart from +* Dependencies that match `gc_ruboconfig` and `gocardless-*` are excluded from the group, and {% data variables.product.prodname_dependabot %} continues to raise single pull requests for these dependencies. This can be helpful if updates for these dependencies need to be reviewed with closer scrutiny. +* For `support-dependencies`, {% data variables.product.prodname_dependabot %} will only raise pull requests for version updates. -The `dependabot.yml` file is configured so that any packages matching the pattern `@angular*` where the highest resolvable version is `minor` or `patch` will be grouped together. {% data variables.product.prodname_dependabot %} will create a separate pull request for any package that doesn't match the pattern, or that doesn't update to a `minor` or `patch` version.{% ifversion dependabot-grouped-security-updates-config %} The grouping rule applies to version updates only, since `applies-to: version-updates` is used.{% endif %} +### Example 3: Individual pull requests for major updates and grouped for minor/patch updates -```yaml -# `dependabot.yml` file using the `update-types` option to group updates. -# Any packages matching the pattern @angular* where the highest resolvable -# version is minor or patch will be grouped together. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules apply to version updates only.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates a group called "`angular`". +* Uses `patterns` that match with the name of a dependency to include dependencies in the group. +* Uses `update-type` to only include `minor` or `patch` updates in the group.{% ifversion dependabot-grouped-security-updates-config %} +* Applies the grouping to version updates only, since `applies-to: version-updates` is used.{% endif %} +```yaml version: 2 updates: - package-ecosystem: "npm" @@ -78,41 +92,58 @@ updates: schedule: interval: "weekly" groups: + # Specify a name for the group, which will be used in pull request titles + # and branch names angular:{% ifversion dependabot-grouped-security-updates-config %} applies-to: version-updates{%- endif %} patterns: - - "@angular*" + - "@angular*" update-types: - - "minor" - - "patch" + - "minor" + - "patch" ``` -#### Example 4 +As a result: +* {% data variables.product.prodname_dependabot %} will create a grouped pull request for all Angular dependencies that have a minor or patch update. +* All major updates will continue to be raised as individual pull requests. -The `dependabot.yml` file uses an `ignore` condition to exclude updates to `major` versions of `@angular*` packages.{% ifversion dependabot-grouped-security-updates-config %} Two grouping rules are specified, one for version updates and one for security updates.{% endif %} +### Example 4: Grouped pull requests for minor/patch updates and no pull requests for major updates -```yaml -# `dependabot.yml` file using the `update-types` option to group updates -# in conjunction with an `ignore` condition. If you do not want updates -# to `major` versions of `@angular*` packages, you can specify an `ignore` condition. -{% ifversion dependabot-grouped-security-updates-config %}# Grouping rules for both version updates and security updates are specified.{%- endif %} +In this example, the `dependabot.yml` file: +* Creates two groups called "`angular`" and "`minor-and-patch`". {% ifversion dependabot-grouped-security-updates-config %} +* Uses `applies-to` so that the first group applies to version updates only, and the second group applies to security updates only.{% endif %} +* Uses `update-type` to only include `minor` or `patch` updates for both groups. +* Uses an `ignore` condition to exclude updates to `major` versions of `@angular*` packages. -groups: - angular:{% ifversion dependabot-grouped-security-updates-config %} - applies-to: version-updates{%- endif %} - patterns: - - "@angular*" - update-types: - - "minor" - - "patch"{% ifversion dependabot-grouped-security-updates-config %} - minor-and-patch: - applies-to: security-updates - patterns: - - "@angular*" - update-types: - - "patch" - - "minor"{%- endif %} -ignore: - - dependency-name: "@angular*" - update-types: ["version-update:semver-major"] +```yaml +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + groups: + angular:{% ifversion dependabot-grouped-security-updates-config %} + applies-to: version-updates{%- endif %} + patterns: + - "@angular*" + update-types: + - "minor" + - "patch"{% ifversion dependabot-grouped-security-updates-config %} + minor-and-patch: + applies-to: security-updates + patterns: + - "@angular*" + update-types: + - "patch" + - "minor"{%- endif %} + ignore: + - dependency-name: "@angular*" + update-types: ["version-update:semver-major"] ``` + +As a result: +* Minor and patch version updates for Angular dependencies are grouped into a single pull request. +* Minor and patch security updates for Angular dependencies are also grouped together into a single pull request. +* {% data variables.product.prodname_dependabot %} won't automatically open pull requests for major updates for Angular. diff --git a/data/reusables/dependabot/initial-updates.md b/data/reusables/dependabot/initial-updates.md index 53fa255a04d0..5df2a5fe876b 100644 --- a/data/reusables/dependabot/initial-updates.md +++ b/data/reusables/dependabot/initial-updates.md @@ -3,6 +3,6 @@ When you first enable version updates, you may have many dependencies that are o {% ifversion dependabot-updates-deprecate-rerun-failed-jobs %}{% else %} {% data variables.product.prodname_dependabot %} may also create pull requests when you change a manifest file after an update has failed. This is because changes to a manifest, such as removing the dependency that caused the update to fail, may cause the newly triggered update to succeed.{% endif %} -To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the [`open-pull-requests-limit` configuration option](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit). +To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the [`open-pull-requests-limit` configuration option](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#open-pull-requests-limit). -{% ifversion dependabot-version-updates-groups %}To further reduce the number of pull requests you may be seeing, you can use the [`groups`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) configuration option to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many dependencies as possible in the group to the latest versions at the same time.{% endif %} +{% ifversion dependabot-version-updates-groups %}To further reduce the number of pull requests you may be seeing, you can use the [`groups`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups) configuration option to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many dependencies as possible in the group to the latest versions at the same time.{% endif %} diff --git a/data/reusables/dependabot/link-to-yml-config-file.md b/data/reusables/dependabot/link-to-yml-config-file.md index e5092818e0e5..9b4e51426a04 100644 --- a/data/reusables/dependabot/link-to-yml-config-file.md +++ b/data/reusables/dependabot/link-to-yml-config-file.md @@ -1 +1 @@ -For information about the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)." +For information about the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). diff --git a/data/reusables/dependabot/no-security-impact-if-not-default-branch.md b/data/reusables/dependabot/no-security-impact-if-not-default-branch.md new file mode 100644 index 000000000000..4a9b7585feaa --- /dev/null +++ b/data/reusables/dependabot/no-security-impact-if-not-default-branch.md @@ -0,0 +1,2 @@ +> [!TIP] +> For security updates, this option has an impact only if this `package-ecosystem` creates pull requests against the default branch for the repository. This option has no impact if `target-branch` is used to define updates to a non-default branch. diff --git a/data/reusables/dependabot/private-dependencies-note.md b/data/reusables/dependabot/private-dependencies-note.md index a41e520c2d54..bbe8c194ca62 100644 --- a/data/reusables/dependabot/private-dependencies-note.md +++ b/data/reusables/dependabot/private-dependencies-note.md @@ -1 +1 @@ -When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)." You can configure access to private registries in a repository's `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#configuration-options-for-private-registries)." +When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, {% data variables.product.prodname_dependabot %} must be able to access the location at which those dependencies are hosted. Organization owners can grant {% data variables.product.prodname_dependabot %} access to private repositories containing dependencies for a project within the same organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies)." You can configure access to private registries in a repository's `dependabot.yml` configuration file. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#configuration-options-for-private-registries)." diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 7fe7b7e82a55..5dc9929b6d99 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -69,9 +69,9 @@ Features in any valid dev container location will be updated in a single pull re In order for {% data variables.product.prodname_dependabot %} to fetch Docker metadata, maintainers of Docker images must add the `org.opencontainers.image.source` label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the [`dependabot-fixtures/docker-with-source`](https://github.com/dependabot-fixtures/docker-with-source) repository. For more information on Docker labels, see [Extension image labels](https://docs.docker.com/desktop/extensions-sdk/extensions/labels/) and [BUILDX_GIT_LABELS](https://docs.docker.com/build/building/env-vars/#buildx_git_labels) in the Docker documentation. {% endif %} -{% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker `package-ecosystem` element of your `dependabot.yml` file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your `dependabot.yml` file for `docker`, see "`package-ecosystem`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)." +{% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker `package-ecosystem` element of your `dependabot.yml` file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your `dependabot.yml` file for `docker`, see "`package-ecosystem`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem)." -{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "`docker-registry`" in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." +{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "`docker-registry`" in "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#docker-registry)." {% endif %} {% data variables.product.prodname_dependabot %} parses Docker image tags for Semantic Versioning ([SemVer](https://semver.org/)). If {% data variables.product.prodname_dependabot %} detects a tag with a pre-release, then it will only suggest an update to the latest version with a matching pre-release, and it will not suggest a newer version that use a different pre-release label. For more information, see the `dependabot-docker` [README.md](https://github.com/dependabot/dependabot-core/blob/main/docker/README.md) file in the `dependabot/dependabot-core` repository. @@ -152,7 +152,7 @@ Private registry support applies to git registries only. Swift registries are no Terraform support includes: * Modules hosted on Terraform Registry or a publicly reachable Git repository. * Terraform providers. -* Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#git). +* Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git). #### yarn diff --git a/data/reusables/dependabot/working-with-actions-considerations.md b/data/reusables/dependabot/working-with-actions-considerations.md new file mode 100644 index 000000000000..6fdeebef6d89 --- /dev/null +++ b/data/reusables/dependabot/working-with-actions-considerations.md @@ -0,0 +1 @@ +{% data variables.product.prodname_dependabot %} is able to trigger {% data variables.product.prodname_actions %} workflows on its pull requests and comments; however, certain events are treated differently. diff --git a/data/reusables/repositories/about-giving-access-to-forks.md b/data/reusables/repositories/about-giving-access-to-forks.md index 7ecc353bd7be..5c8fbd1318fc 100644 --- a/data/reusables/repositories/about-giving-access-to-forks.md +++ b/data/reusables/repositories/about-giving-access-to-forks.md @@ -1 +1 @@ -If you fork a public repository to your personal account, make changes, then open a pull request to propose your changes to the upstream repository, you can give anyone with push access to the upstream repository permission to push changes to your pull request branch (including deleting the branch). This speeds up collaboration by allowing repository maintainers to make commits or run tests locally to your pull request branch from a user-owned fork before merging. You cannot give push permissions to a fork owned by an organization. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)." +If you fork a public repository to your personal account, make changes, then open a pull request to propose your changes to the upstream repository, you can give anyone with push access to the upstream repository permission to push changes to your pull request branch (including deleting the branch). This speeds up collaboration by allowing repository maintainers to make commits or run tests locally to your pull request branch from a user-owned fork before merging. You cannot give push permissions to a fork owned by an organization. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). diff --git a/data/reusables/repositories/about-push-rule-delegated-bypass.md b/data/reusables/repositories/about-push-rule-delegated-bypass.md index b71d974f9c3b..f92756a2f2b4 100644 --- a/data/reusables/repositories/about-push-rule-delegated-bypass.md +++ b/data/reusables/repositories/about-push-rule-delegated-bypass.md @@ -6,4 +6,4 @@ Delegated bypass for push rulesets lets you control who can bypass push protecti If the request to bypass push rules is approved, the contributor can push the commit containing restricted content. If the request is denied, the contributor must remove the content from the commit (or commits) containing the restricted content before pushing again. -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list includes specific roles and teams, such as team or repository administrators, who oversee requests to bypass push protection. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization)" and "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list includes specific roles and teams, such as team or repository administrators, who oversee requests to bypass push protection. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization) and [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). diff --git a/data/reusables/repositories/administrators-can-disable-issues.md b/data/reusables/repositories/administrators-can-disable-issues.md index 7be9aceebca5..93c015a5ea03 100644 --- a/data/reusables/repositories/administrators-can-disable-issues.md +++ b/data/reusables/repositories/administrators-can-disable-issues.md @@ -1 +1 @@ -Repository administrators can disable issues for a repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/disabling-issues)." +Repository administrators can disable issues for a repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/disabling-issues). diff --git a/data/reusables/repositories/asking-for-review.md b/data/reusables/repositories/asking-for-review.md index b12b30b3fedb..5a5857da4ff1 100644 --- a/data/reusables/repositories/asking-for-review.md +++ b/data/reusables/repositories/asking-for-review.md @@ -1,2 +1,2 @@ > [!TIP] -> After you create a pull request, you can ask a specific person to [review your proposed changes](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request). For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review)." +> After you create a pull request, you can ask a specific person to [review your proposed changes](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request). For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review). diff --git a/data/reusables/repositories/autolink-references.md b/data/reusables/repositories/autolink-references.md index d431bdaab528..cd931c1cb2d9 100644 --- a/data/reusables/repositories/autolink-references.md +++ b/data/reusables/repositories/autolink-references.md @@ -1 +1 @@ -If custom autolink references are configured for a repository, then references to external resources, like a JIRA issue or Zendesk ticket, convert into shortened links. To know which autolinks are available in your repository, contact someone with admin permissions to the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources)." +If custom autolink references are configured for a repository, then references to external resources, like a JIRA issue or Zendesk ticket, convert into shortened links. To know which autolinks are available in your repository, contact someone with admin permissions to the repository. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-autolinks-to-reference-external-resources). diff --git a/data/reusables/repositories/choose-repo-visibility.md b/data/reusables/repositories/choose-repo-visibility.md index 0193ddbab010..a64a06febfe6 100644 --- a/data/reusables/repositories/choose-repo-visibility.md +++ b/data/reusables/repositories/choose-repo-visibility.md @@ -1 +1 @@ -1. Choose a repository visibility. For more information, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility)." +1. Choose a repository visibility. For more information, see [AUTOTITLE](/repositories/creating-and-managing-repositories/about-repositories#about-repository-visibility). diff --git a/data/reusables/repositories/commit-signoffs.md b/data/reusables/repositories/commit-signoffs.md index 1a6634d17e00..4c2cc5ead30b 100644 --- a/data/reusables/repositories/commit-signoffs.md +++ b/data/reusables/repositories/commit-signoffs.md @@ -6,4 +6,4 @@ You can determine whether a repository you are contributing to has compulsory co Before signing off on a commit, you should ensure that your commit is in compliance with the rules and licensing governing the repository you're committing to. The repository may use a sign off agreement, such as the Developer Certificate of Origin from the Linux Foundation. For more information, see the [Developer Certificate of Origin](https://developercertificate.org/). -Signing off on a commit differs from signing a commit. For more information about signing a commit, see "[AUTOTITLE](/authentication/managing-commit-signature-verification/about-commit-signature-verification)." +Signing off on a commit differs from signing a commit. For more information about signing a commit, see [AUTOTITLE](/authentication/managing-commit-signature-verification/about-commit-signature-verification). diff --git a/data/reusables/repositories/create-pull-request.md b/data/reusables/repositories/create-pull-request.md index ca33d46b5c42..34cd5b305991 100644 --- a/data/reusables/repositories/create-pull-request.md +++ b/data/reusables/repositories/create-pull-request.md @@ -1,2 +1,2 @@ 1. To create a pull request that is ready for review, click **Create Pull Request**. -To create a draft pull request, use the drop-down and select **Create Draft Pull Request**, then click **Draft Pull Request**. If you are the member of an organization, you may need to request access to draft pull requests from an organization owner. See "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests#draft-pull-requests)." +To create a draft pull request, use the drop-down and select **Create Draft Pull Request**, then click **Draft Pull Request**. If you are the member of an organization, you may need to request access to draft pull requests from an organization owner. See [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests#draft-pull-requests). diff --git a/data/reusables/repositories/default-issue-templates.md b/data/reusables/repositories/default-issue-templates.md index a703881264c4..637d8b6f7925 100644 --- a/data/reusables/repositories/default-issue-templates.md +++ b/data/reusables/repositories/default-issue-templates.md @@ -1 +1 @@ -You can create default issue templates and a default configuration file for issue templates for your organization or personal account. For more information, see "[AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)." +You can create default issue templates and a default configuration file for issue templates for your organization or personal account. For more information, see [AUTOTITLE](/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file). diff --git a/data/reusables/repositories/deleted_forks_from_private_repositories_warning.md b/data/reusables/repositories/deleted_forks_from_private_repositories_warning.md index 77f341224306..3844be1e3bde 100644 --- a/data/reusables/repositories/deleted_forks_from_private_repositories_warning.md +++ b/data/reusables/repositories/deleted_forks_from_private_repositories_warning.md @@ -2,4 +2,4 @@ > * If you remove a person’s access to a private repository, any of their forks of that private repository are deleted. Local clones of the private repository are retained. If a team's access to a private repository is revoked or a team with access to a private repository is deleted, and team members do not have access to the repository through another team, private forks of the repository will be deleted.{% ifversion ghes %} > * When [LDAP Sync is enabled](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync), if you remove a person from a repository, they will lose access but their forks will not be deleted. If the person is added to a team with access to the original organization repository within three months, their access to the forks will be automatically restored on the next sync.{% endif %} > * You are responsible for ensuring that people who have lost access to a repository delete any confidential information or intellectual property. -> * People with admin permissions to a private{% ifversion ghes or ghec %} or internal{% endif %} repository can disallow forking of that repository, and organization owners can disallow forking of any private{% ifversion ghes or ghec %} or internal{% endif %} repository in an organization. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization)" and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository)." +> * People with admin permissions to a private{% ifversion ghes or ghec %} or internal{% endif %} repository can disallow forking of that repository, and organization owners can disallow forking of any private{% ifversion ghes or ghec %} or internal{% endif %} repository in an organization. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization) and [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository). diff --git a/data/reusables/repositories/deleting-ruleset-tip.md b/data/reusables/repositories/deleting-ruleset-tip.md index 13ebacaca96e..90c034effbc8 100644 --- a/data/reusables/repositories/deleting-ruleset-tip.md +++ b/data/reusables/repositories/deleting-ruleset-tip.md @@ -1,2 +1,2 @@ > [!TIP] -> If you want to temporarily disable a ruleset but do not want to delete it, you can set the ruleset's status to "Disabled." For more information, see "[Editing a ruleset](#editing-a-ruleset)." +> If you want to temporarily disable a ruleset but do not want to delete it, you can set the ruleset's status to "Disabled." For more information, see [Editing a ruleset](#editing-a-ruleset). diff --git a/data/reusables/repositories/dependency-review.md b/data/reusables/repositories/dependency-review.md index 7757225ed4ba..4a63b03bb65e 100644 --- a/data/reusables/repositories/dependency-review.md +++ b/data/reusables/repositories/dependency-review.md @@ -1 +1 @@ -Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request)." +Additionally, {% data variables.product.prodname_dotcom %} can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request). diff --git a/data/reusables/repositories/deploy-keys-write-access.md b/data/reusables/repositories/deploy-keys-write-access.md index dcc98fd95bfb..93097c1041f7 100644 --- a/data/reusables/repositories/deploy-keys-write-access.md +++ b/data/reusables/repositories/deploy-keys-write-access.md @@ -1 +1 @@ -Deploy keys with write access can perform the same actions as an organization member with admin access, or a collaborator on a personal repository. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization)" and "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/permission-levels-for-a-personal-account-repository)." +Deploy keys with write access can perform the same actions as an organization member with admin access, or a collaborator on a personal repository. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization) and [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/permission-levels-for-a-personal-account-repository). diff --git a/data/reusables/repositories/deploy-keys.md b/data/reusables/repositories/deploy-keys.md index 41aad645dd70..8ef13d894345 100644 --- a/data/reusables/repositories/deploy-keys.md +++ b/data/reusables/repositories/deploy-keys.md @@ -1 +1 @@ -You can launch projects from a repository on {% data variables.location.product_location %} to your server by using a deploy key, which is an SSH key that grants access to a single repository. {% data variables.product.product_name %} attaches the public part of the key directly to your repository instead of a personal account, and the private part of the key remains on your server. For more information, see "[AUTOTITLE](/rest/guides/delivering-deployments)." +You can launch projects from a repository on {% data variables.location.product_location %} to your server by using a deploy key, which is an SSH key that grants access to a single repository. {% data variables.product.product_name %} attaches the public part of the key directly to your repository instead of a personal account, and the private part of the key remains on your server. For more information, see [AUTOTITLE](/rest/guides/delivering-deployments). diff --git a/data/reusables/repositories/desktop-fork.md b/data/reusables/repositories/desktop-fork.md index 1be579e8567a..c97d0193e404 100644 --- a/data/reusables/repositories/desktop-fork.md +++ b/data/reusables/repositories/desktop-fork.md @@ -1 +1 @@ -You can use {% data variables.product.prodname_desktop %} to fork a repository. For more information, see "[AUTOTITLE](/desktop/adding-and-cloning-repositories/cloning-and-forking-repositories-from-github-desktop)." +You can use {% data variables.product.prodname_desktop %} to fork a repository. For more information, see [AUTOTITLE](/desktop/adding-and-cloning-repositories/cloning-and-forking-repositories-from-github-desktop). diff --git a/data/reusables/repositories/edit-ruleset-steps.md b/data/reusables/repositories/edit-ruleset-steps.md index 07f7c58e586c..deb5061c0e6a 100644 --- a/data/reusables/repositories/edit-ruleset-steps.md +++ b/data/reusables/repositories/edit-ruleset-steps.md @@ -1,3 +1,3 @@ 1. On the "Rulesets" page, click the name of the ruleset you want to edit. -1. Change the ruleset as required. For information on the available rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)." +1. Change the ruleset as required. For information on the available rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets). 1. At the bottom of the page, click **Save changes**. diff --git a/data/reusables/repositories/enable-security-alerts.md b/data/reusables/repositories/enable-security-alerts.md index 61b386aa3d0b..5dc3d2fccc00 100644 --- a/data/reusables/repositories/enable-security-alerts.md +++ b/data/reusables/repositories/enable-security-alerts.md @@ -1,3 +1,3 @@ {% ifversion ghes %} -Enterprise owners must enable {% data variables.product.prodname_dependabot_alerts %} for {% data variables.location.product_location %} before you can use this feature. For more information, see "[AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise)." +Enterprise owners must enable {% data variables.product.prodname_dependabot_alerts %} for {% data variables.location.product_location %} before you can use this feature. For more information, see [AUTOTITLE](/admin/configuration/configuring-github-connect/enabling-dependabot-for-your-enterprise). {% endif %} diff --git a/data/reusables/repositories/forks-page.md b/data/reusables/repositories/forks-page.md index 34f99af82629..3e8a852358a7 100644 --- a/data/reusables/repositories/forks-page.md +++ b/data/reusables/repositories/forks-page.md @@ -1 +1 @@ -{% ifversion repositories-forks-page-improvement %}You can view, sort, and filter the forks of a repository on the repository's forks page. For more information, see "[AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/understanding-connections-between-repositories#listing-the-forks-of-a-repository)."{% endif %} +{% ifversion repositories-forks-page-improvement %}You can view, sort, and filter the forks of a repository on the repository's forks page. For more information, see [AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/understanding-connections-between-repositories#listing-the-forks-of-a-repository).{% endif %} diff --git a/data/reusables/repositories/github-reviews-security-advisories.md b/data/reusables/repositories/github-reviews-security-advisories.md index aaef4327cac5..f8e34eda7ebc 100644 --- a/data/reusables/repositories/github-reviews-security-advisories.md +++ b/data/reusables/repositories/github-reviews-security-advisories.md @@ -1,3 +1,3 @@ {% data variables.product.prodname_dotcom %} will review each published security advisory, add it to the {% data variables.product.prodname_advisory_database %}, and may use the security advisory to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. If the security advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. This process can take up to 72 hours and {% data variables.product.prodname_dotcom %} may contact you for more information. -For more information about {% data variables.product.prodname_dependabot_alerts %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies)" and "[AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-dependabot-security-updates)." For more information about {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)." +For more information about {% data variables.product.prodname_dependabot_alerts %}, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#dependabot-alerts-for-vulnerable-dependencies) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-dependabot-security-updates). For more information about {% data variables.product.prodname_advisory_database %}, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database). diff --git a/data/reusables/repositories/importing-context.md b/data/reusables/repositories/importing-context.md index ffa234532e2a..6391b6407132 100644 --- a/data/reusables/repositories/importing-context.md +++ b/data/reusables/repositories/importing-context.md @@ -1 +1 @@ -Importing your source code to {% data variables.product.prodname_dotcom %} makes it easier for you and others to work together on projects and manage code. {% data variables.product.prodname_dotcom %} helps you collaborate, track changes, and organize tasks, making it simpler to build and manage projects. For more information, see "[AUTOTITLE](/get-started/start-your-journey/about-github-and-git)." +Importing your source code to {% data variables.product.prodname_dotcom %} makes it easier for you and others to work together on projects and manage code. {% data variables.product.prodname_dotcom %} helps you collaborate, track changes, and organize tasks, making it simpler to build and manage projects. For more information, see [AUTOTITLE](/get-started/start-your-journey/about-github-and-git). diff --git a/data/reusables/repositories/private_forks_inherit_permissions.md b/data/reusables/repositories/private_forks_inherit_permissions.md index b901a5a5b160..5a7765f3a792 100644 --- a/data/reusables/repositories/private_forks_inherit_permissions.md +++ b/data/reusables/repositories/private_forks_inherit_permissions.md @@ -1,4 +1,4 @@ Private forks inherit the permissions structure of the upstream repository. This helps owners of private repositories maintain control over their code. For example, if the upstream repository is private and gives read/write access to a team, then the same team will have read/write access to any forks of the private upstream repository. Only team permissions (not individual permissions) are inherited by private forks. > [!NOTE] -> {% data reusables.repositories.org-base-permissions-private-forks %} For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization#about-base-permissions-for-an-organization)." +> {% data reusables.repositories.org-base-permissions-private-forks %} For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization#about-base-permissions-for-an-organization). diff --git a/data/reusables/repositories/protected-branches-block-web-edits-uploads.md b/data/reusables/repositories/protected-branches-block-web-edits-uploads.md index cd35687abaca..cab9e8197188 100644 --- a/data/reusables/repositories/protected-branches-block-web-edits-uploads.md +++ b/data/reusables/repositories/protected-branches-block-web-edits-uploads.md @@ -1 +1 @@ -If a repository has any protected branches, you can't edit or upload files in the protected branch using {% data variables.product.prodname_dotcom %}. You can use {% data variables.product.prodname_desktop %} to move your changes to a new branch and commit them. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches)" and "[AUTOTITLE](/desktop/making-changes-in-a-branch/committing-and-reviewing-changes-to-your-project-in-github-desktop)." +If a repository has any protected branches, you can't edit or upload files in the protected branch using {% data variables.product.prodname_dotcom %}. You can use {% data variables.product.prodname_desktop %} to move your changes to a new branch and commit them. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) and [AUTOTITLE](/desktop/making-changes-in-a-branch/committing-and-reviewing-changes-to-your-project-in-github-desktop). diff --git a/data/reusables/repositories/repo-rules-permissions.md b/data/reusables/repositories/repo-rules-permissions.md index 0f6c50f17300..d2dc53482c82 100644 --- a/data/reusables/repositories/repo-rules-permissions.md +++ b/data/reusables/repositories/repo-rules-permissions.md @@ -1 +1 @@ -Anyone with read access to a repository can view the repository's rulesets. People with admin access to a repository{% ifversion edit-repository-rules %}, or a custom role with the "edit repository rules" permission,{% endif %} can create, edit, and delete rulesets for a repository{% ifversion fpt %}.{% else %} and view ruleset insights. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles)."{% endif %} +Anyone with read access to a repository can view the repository's rulesets. People with admin access to a repository{% ifversion edit-repository-rules %}, or a custom role with the "edit repository rules" permission,{% endif %} can create, edit, and delete rulesets for a repository{% ifversion fpt %}.{% else %} and view ruleset insights. For more information, see [AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/about-custom-repository-roles).{% endif %} diff --git a/data/reusables/repositories/rulesets-about-enforcement-statuses.md b/data/reusables/repositories/rulesets-about-enforcement-statuses.md index 32ef826e835f..b8f8f17e558a 100644 --- a/data/reusables/repositories/rulesets-about-enforcement-statuses.md +++ b/data/reusables/repositories/rulesets-about-enforcement-statuses.md @@ -8,6 +8,6 @@ You can select any of the following enforcement statuses for your ruleset. {% ifversion repo-rules-enterprise %} -Using "Evaluate" mode is a great option for testing your ruleset without enforcing it. You can use the "Rule Insights" page to see if the contribution would have violated the rule. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#viewing-insights-for-rulesets)." +Using "Evaluate" mode is a great option for testing your ruleset without enforcing it. You can use the "Rule Insights" page to see if the contribution would have violated the rule. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#viewing-insights-for-rulesets). {% endif %} diff --git a/data/reusables/repositories/rulesets-alternative.md b/data/reusables/repositories/rulesets-alternative.md index 0721248105b2..df8fc237a49a 100644 --- a/data/reusables/repositories/rulesets-alternative.md +++ b/data/reusables/repositories/rulesets-alternative.md @@ -1 +1 @@ -As an alternative to branch protection rules{% ifversion ghes < 3.16 %} or tag protection rules{% endif %}, you can create rulesets. Rulesets have a few advantages over branch{% ifversion ghes < 3.16 %} and tag{% endif %} protection rules, such as statuses, and better discoverability without requiring admin access. You can also apply multiple rulesets at the same time. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +As an alternative to branch protection rules{% ifversion ghes < 3.16 %} or tag protection rules{% endif %}, you can create rulesets. Rulesets have a few advantages over branch{% ifversion ghes < 3.16 %} and tag{% endif %} protection rules, such as statuses, and better discoverability without requiring admin access. You can also apply multiple rulesets at the same time. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets). diff --git a/data/reusables/repositories/rulesets-bypass-step.md b/data/reusables/repositories/rulesets-bypass-step.md index e92e6c3da36f..158b97c2430e 100644 --- a/data/reusables/repositories/rulesets-bypass-step.md +++ b/data/reusables/repositories/rulesets-bypass-step.md @@ -7,7 +7,7 @@ You can grant certain roles, teams, or apps bypass permissions {% ifversion push * Deploy keys {%- endif %} * {% data variables.product.prodname_github_apps %}{% ifversion repo-rules-dependabot-bypass %} -* {% data variables.product.prodname_dependabot %}. For more information about {% data variables.product.prodname_dependabot %}, see "[AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide)."{% endif %} +* {% data variables.product.prodname_dependabot %}. For more information about {% data variables.product.prodname_dependabot %}, see [AUTOTITLE](/code-security/getting-started/dependabot-quickstart-guide).{% endif %} 1. To grant bypass permissions for the ruleset, in the "Bypass list" section, click **{% octicon "plus" aria-hidden="true" %} Add bypass**. 1. In the "Add bypass" modal dialog that appears, search for the role, team, or app you would like to grant bypass permissions, then select the role, team, or app from the "Suggestions" section and click **Add Selected**. diff --git a/data/reusables/repositories/rulesets-commit-regex.md b/data/reusables/repositories/rulesets-commit-regex.md index 9f0a4e57f554..8c0d3a2b5267 100644 --- a/data/reusables/repositories/rulesets-commit-regex.md +++ b/data/reusables/repositories/rulesets-commit-regex.md @@ -9,7 +9,7 @@ By default, regular expressions in metadata restrictions do not consider multipl The negative lookahead assertion, denoted `?!`, is not supported. However, for cases where you need to look for a given string that is not followed by another given string, you can use the positive lookahead assertion, denoted `?`, combined with the "Must not match a given regex pattern" requirement. > [!NOTE] -> If you require contributors to sign off on commits, this may interfere with your regular expression patterns. When someone signs off, {% data variables.product.prodname_dotcom %} adds a string like `Signed-off-by: #AUTHOR-NAME <#AUTHOR-EMAIL>` to the commit message. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization)." +> If you require contributors to sign off on commits, this may interfere with your regular expression patterns. When someone signs off, {% data variables.product.prodname_dotcom %} adds a string like `Signed-off-by: #AUTHOR-NAME <#AUTHOR-EMAIL>` to the commit message. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-the-commit-signoff-policy-for-your-organization). #### Useful regular expression patterns diff --git a/data/reusables/repositories/rulesets-create-and-insights-step.md b/data/reusables/repositories/rulesets-create-and-insights-step.md index a00fd1f7fbfb..4da7a0887a30 100644 --- a/data/reusables/repositories/rulesets-create-and-insights-step.md +++ b/data/reusables/repositories/rulesets-create-and-insights-step.md @@ -1,5 +1,5 @@ To finish creating your ruleset, click **Create**. If the enforcement status of the ruleset is set to "Active", the ruleset takes effect immediately. {% ifversion repo-rules-enterprise %} -You can view insights for the ruleset to see how the rules are affecting your contributors. If the enforcement status is set to "Evaluate", you can see which actions would have passed or failed if the ruleset was active. For more information on insights for rulesets, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#viewing-insights-for-rulesets)." +You can view insights for the ruleset to see how the rules are affecting your contributors. If the enforcement status is set to "Evaluate", you can see which actions would have passed or failed if the ruleset was active. For more information on insights for rulesets, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#viewing-insights-for-rulesets). {% endif %} diff --git a/data/reusables/repositories/rulesets-general-step.md b/data/reusables/repositories/rulesets-general-step.md index 2414ee9ac6df..260ee2742f99 100644 --- a/data/reusables/repositories/rulesets-general-step.md +++ b/data/reusables/repositories/rulesets-general-step.md @@ -1,2 +1,2 @@ 1. Under "Ruleset name," type a name for the ruleset. -1. Optionally, to change the default enforcement status, click **{% octicon "skip" aria-hidden="true" %} Disabled** {% octicon "triangle-down" aria-hidden="true" %} and select an enforcement status. For more information about enforcement statuses, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#using-ruleset-enforcement-statuses)." +1. Optionally, to change the default enforcement status, click **{% octicon "skip" aria-hidden="true" %} Disabled** {% octicon "triangle-down" aria-hidden="true" %} and select an enforcement status. For more information about enforcement statuses, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#using-ruleset-enforcement-statuses). diff --git a/data/reusables/repositories/rulesets-metadata-step.md b/data/reusables/repositories/rulesets-metadata-step.md index 35971d10f0fe..939a9eee09e6 100644 --- a/data/reusables/repositories/rulesets-metadata-step.md +++ b/data/reusables/repositories/rulesets-metadata-step.md @@ -9,8 +9,8 @@ Your metadata restrictions should be intended to increase consistency between co For most requirements, such as "Must start with a matching pattern," the pattern you enter is interpreted literally, and wildcards are not supported. For example, the `*` character only represents the literal `*` character. - For more complex patterns, you can select "Must match a given regex pattern" or "Must not match a given regex pattern," then use regular expression syntax to define the matching pattern. For more information, see "[About regular expressions for commit metadata](/enterprise-cloud@latest/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#using-regular-expressions-for-commit-metadata){% ifversion not ghec %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} + For more complex patterns, you can select "Must match a given regex pattern" or "Must not match a given regex pattern," then use regular expression syntax to define the matching pattern. For more information, see [About regular expressions for commit metadata](/enterprise-cloud@latest/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization#using-regular-expressions-for-commit-metadata){% ifversion not ghec %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %} Anyone who views the rulesets for a repository will be able to see the description you provide. -1. Optionally, before enacting your ruleset with metadata restrictions, select the "Evaluate" enforcement status for your ruleset to test the effects of any metadata restrictions without impacting contributors. For more information on metadata restrictions, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#important-considerations-for-metadata-restrictions)." +1. Optionally, before enacting your ruleset with metadata restrictions, select the "Evaluate" enforcement status for your ruleset to test the effects of any metadata restrictions without impacting contributors. For more information on metadata restrictions, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#important-considerations-for-metadata-restrictions). diff --git a/data/reusables/repositories/rulesets-protections-step.md b/data/reusables/repositories/rulesets-protections-step.md index ec6512cbfb8c..281b48b55197 100644 --- a/data/reusables/repositories/rulesets-protections-step.md +++ b/data/reusables/repositories/rulesets-protections-step.md @@ -1,4 +1,4 @@ -In the "Branch protections" or "Tag protections" section, select the rules you want to include in the ruleset. When you select a rule, you may be able to enter additional settings for the rule. For more information on the rules, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets)." +In the "Branch protections" or "Tag protections" section, select the rules you want to include in the ruleset. When you select a rule, you may be able to enter additional settings for the rule. For more information on the rules, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets). > [!NOTE] > If you select **Require status checks before merging**, in the "Additional settings" section: diff --git a/data/reusables/repositories/rulesets-push-rules-general-info-for-related-articles.md b/data/reusables/repositories/rulesets-push-rules-general-info-for-related-articles.md index 6683e290ac3b..6ffb9ded8965 100644 --- a/data/reusables/repositories/rulesets-push-rules-general-info-for-related-articles.md +++ b/data/reusables/repositories/rulesets-push-rules-general-info-for-related-articles.md @@ -1 +1 @@ -Your repository may have push rulesets enabled. Push rulesets may block creating a new file in the repository based on certain restrictions. Push rulesets apply to the repository's entire fork network. Which means that any push rulesets that are configured in the root repository will also apply to every fork of the repository. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets)." +Your repository may have push rulesets enabled. Push rulesets may block creating a new file in the repository based on certain restrictions. Push rulesets apply to the repository's entire fork network. Which means that any push rulesets that are configured in the root repository will also apply to every fork of the repository. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets). diff --git a/data/reusables/repositories/rulesets-push-rules-path-example.md b/data/reusables/repositories/rulesets-push-rules-path-example.md index 1de03c3ccf52..9de89c655692 100644 --- a/data/reusables/repositories/rulesets-push-rules-path-example.md +++ b/data/reusables/repositories/rulesets-push-rules-path-example.md @@ -1 +1 @@ -You can use `fnmatch` syntax for this. For example, a restriction targeting `test/demo/**/*` prevents any pushes to files or folders in the `test/demo/` directory. A restriction targeting `test/docs/pushrules.md` prevents pushes specifically to the `pushrules.md` file in the `test/docs/` directory. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)." +You can use `fnmatch` syntax for this. For example, a restriction targeting `test/demo/**/*` prevents any pushes to files or folders in the `test/demo/` directory. A restriction targeting `test/docs/pushrules.md` prevents pushes specifically to the `pushrules.md` file in the `test/docs/` directory. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax). diff --git a/data/reusables/repositories/rulesets-require-code-scanning-results.md b/data/reusables/repositories/rulesets-require-code-scanning-results.md index 83df1a2353e4..041aed307bae 100644 --- a/data/reusables/repositories/rulesets-require-code-scanning-results.md +++ b/data/reusables/repositories/rulesets-require-code-scanning-results.md @@ -6,4 +6,4 @@ ![Screenshot of the "Required tools and alert thresholds" section of "Rulesets" settings.](/assets/images/help/repository/rulesets-require-code-scanning.png) -For more information about alert severity and security severity levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels)." +For more information about alert severity and security severity levels, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-severity-and-security-severity-levels). diff --git a/data/reusables/repositories/rulesets-target-branches.md b/data/reusables/repositories/rulesets-target-branches.md index 60ac2411db07..cf3cd5af7899 100644 --- a/data/reusables/repositories/rulesets-target-branches.md +++ b/data/reusables/repositories/rulesets-target-branches.md @@ -1,3 +1,3 @@ -To target branches or tags, in the "Target branches" or "Target tags" section, select **Add a target**, then select how you want to include or exclude branches or tags. You can use `fnmatch` syntax to include or exclude branches or tags based on a pattern. For more information, see "[Using `fnmatch` syntax](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax)." +To target branches or tags, in the "Target branches" or "Target tags" section, select **Add a target**, then select how you want to include or exclude branches or tags. You can use `fnmatch` syntax to include or exclude branches or tags based on a pattern. For more information, see [Using `fnmatch` syntax](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#using-fnmatch-syntax). You can add multiple targeting criteria to the same ruleset. For example, you could include the default branch, include any branches matching the pattern `*feature*`, and then specifically exclude a branch matching the pattern `not-a-feature`. diff --git a/data/reusables/repositories/rulest-workflows-intro-paragraph.md b/data/reusables/repositories/rulest-workflows-intro-paragraph.md index 9d97184b4900..a45e81152095 100644 --- a/data/reusables/repositories/rulest-workflows-intro-paragraph.md +++ b/data/reusables/repositories/rulest-workflows-intro-paragraph.md @@ -1 +1 @@ -Ruleset workflows can be configured at the organization level to require workflows to pass before merging pull requests. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization)." +Ruleset workflows can be configured at the organization level to require workflows to pass before merging pull requests. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/creating-rulesets-for-repositories-in-your-organization). diff --git a/data/reusables/repositories/security-advisory-edit-cve.md b/data/reusables/repositories/security-advisory-edit-cve.md index 2272f2e73914..0c2558f4b74f 100644 --- a/data/reusables/repositories/security-advisory-edit-cve.md +++ b/data/reusables/repositories/security-advisory-edit-cve.md @@ -1 +1 @@ -1. Use the **CVE identifier** dropdown menu to specify whether you already have a CVE identifier or plan to request one from {% data variables.product.prodname_dotcom %} later. If you have an existing CVE identifier, select **I have an existing CVE identifier** to display an **Existing CVE** field, and type the CVE identifier in the field. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)." +1. Use the **CVE identifier** dropdown menu to specify whether you already have a CVE identifier or plan to request one from {% data variables.product.prodname_dotcom %} later. If you have an existing CVE identifier, select **I have an existing CVE identifier** to display an **Existing CVE** field, and type the CVE identifier in the field. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers). diff --git a/data/reusables/repositories/security-advisory-edit-cwe.md b/data/reusables/repositories/security-advisory-edit-cwe.md index fec0959abe68..21208a6e768b 100644 --- a/data/reusables/repositories/security-advisory-edit-cwe.md +++ b/data/reusables/repositories/security-advisory-edit-cwe.md @@ -1 +1 @@ -1. Under "Weaknesses", in the **Common weakness enumerator** field, type common weakness enumerators (CWEs) that describe the kinds of security weaknesses that this security advisory reports. For a full list of CWEs, see the "[Common Weakness Enumeration](https://cwe.mitre.org/index.html)" from MITRE. +1. Under "Weaknesses", in the **Common weakness enumerator** field, type common weakness enumerators (CWEs) that describe the kinds of security weaknesses that this security advisory reports. For a full list of CWEs, see the [Common Weakness Enumeration](https://cwe.mitre.org/index.html) from MITRE. diff --git a/data/reusables/repositories/security-advisory-edit-details.md b/data/reusables/repositories/security-advisory-edit-details.md index 4c94ee0e0647..eed54dbaaee4 100644 --- a/data/reusables/repositories/security-advisory-edit-details.md +++ b/data/reusables/repositories/security-advisory-edit-details.md @@ -1,3 +1,3 @@ 1. Under "Affected products", define the ecosystem, package name, affected/patched versions, and vulnerable functions for the security vulnerability that this security advisory describes. If applicable, you can add multiple affected products to the same advisory by clicking **Add another affected product**. - For information about how to specify information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)." + For information about how to specify information on the form, including affected versions, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories). diff --git a/data/reusables/repositories/security-guidelines.md b/data/reusables/repositories/security-guidelines.md index a0d73b79fa78..aa2568527770 100644 --- a/data/reusables/repositories/security-guidelines.md +++ b/data/reusables/repositories/security-guidelines.md @@ -1 +1 @@ -You can create a security policy to give people instructions for reporting security vulnerabilities in your project. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)." +You can create a security policy to give people instructions for reporting security vulnerabilities in your project. For more information, see [AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository). diff --git a/data/reusables/repositories/sensitive-info-warning.md b/data/reusables/repositories/sensitive-info-warning.md index 2b67f0629b91..9917235eb095 100644 --- a/data/reusables/repositories/sensitive-info-warning.md +++ b/data/reusables/repositories/sensitive-info-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> Never `git add`, `commit`, or `push` sensitive information, for example passwords or API keys, to a remote repository. If you've already added this information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." +> Never `git add`, `commit`, or `push` sensitive information, for example passwords or API keys, to a remote repository. If you've already added this information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository). diff --git a/data/reusables/repositories/settings-permissions-org-policy-note.md b/data/reusables/repositories/settings-permissions-org-policy-note.md index 4ff117f228d4..6562e5d3e9bd 100644 --- a/data/reusables/repositories/settings-permissions-org-policy-note.md +++ b/data/reusables/repositories/settings-permissions-org-policy-note.md @@ -1,2 +1,2 @@ > [!NOTE] -> You might not be able to manage these settings if your organization has an overriding policy or is managed by an enterprise that has overriding policy. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)" or "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise)." +> You might not be able to manage these settings if your organization has an overriding policy or is managed by an enterprise that has overriding policy. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization) or [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise). diff --git a/data/reusables/repositories/sidebar-dependabot-alerts.md b/data/reusables/repositories/sidebar-dependabot-alerts.md index 055b480b5fda..044cd3ba9532 100644 --- a/data/reusables/repositories/sidebar-dependabot-alerts.md +++ b/data/reusables/repositories/sidebar-dependabot-alerts.md @@ -1,4 +1,4 @@ -1. In the "Vulnerability alerts" sidebar of security overview, click **{% data variables.product.prodname_dependabot %}**. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."{% ifversion fpt or ghec %} +1. In the "Vulnerability alerts" sidebar of security overview, click **{% data variables.product.prodname_dependabot %}**. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts).{% ifversion fpt or ghec %} ![Screenshot of security overview, with the "Dependabot" tab highlighted with a dark orange outline.](/assets/images/help/repository/dependabot-tab.png){% else %} ![Screenshot of security overview, with the "Dependabot" tab highlighted with a dark orange outline.](/assets/images/enterprise/repository/dependabot-alerts-tab.png){% endif %} diff --git a/data/reusables/repositories/squash-and-rebase-linear-commit-history.md b/data/reusables/repositories/squash-and-rebase-linear-commit-history.md index 838f4a265a88..de25eb745cd8 100644 --- a/data/reusables/repositories/squash-and-rebase-linear-commit-history.md +++ b/data/reusables/repositories/squash-and-rebase-linear-commit-history.md @@ -1 +1 @@ -If there is a protected branch rule in your repository that requires a linear commit history, you must allow squash merging, rebase merging, or both. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging)." +If there is a protected branch rule in your repository that requires a linear commit history, you must allow squash merging, rebase merging, or both. For more information, see [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging). diff --git a/data/reusables/repositories/workflow-notifications.md b/data/reusables/repositories/workflow-notifications.md index 78c342996e0c..9cdfd2012f7f 100644 --- a/data/reusables/repositories/workflow-notifications.md +++ b/data/reusables/repositories/workflow-notifications.md @@ -1,5 +1,5 @@ -If you enable email or web notifications for {% data variables.product.prodname_actions %}, you'll receive a notification when any workflow runs that you've triggered have completed. The notification will include the workflow run's status (including successful, failed, neutral, and canceled runs). You can also choose to receive a notification only when a workflow run has failed. For more information about enabling or disabling notifications, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/about-notifications)." +If you enable email or web notifications for {% data variables.product.prodname_actions %}, you'll receive a notification when any workflow runs that you've triggered have completed. The notification will include the workflow run's status (including successful, failed, neutral, and canceled runs). You can also choose to receive a notification only when a workflow run has failed. For more information about enabling or disabling notifications, see [AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/about-notifications). Notifications for scheduled workflows are sent to the user who initially created the workflow. If a different user updates the cron syntax in the workflow file, subsequent notifications will be sent to that user instead. If a scheduled workflow is disabled and then re-enabled, notifications will be sent to the user who re-enabled the workflow rather than the user who last modified the cron syntax. -You can also see the status of workflow runs on a repository's Actions tab. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs)." +You can also see the status of workflow runs on a repository's Actions tab. For more information, see [AUTOTITLE](/actions/managing-workflow-runs). diff --git a/data/reusables/repositories/you-can-fork.md b/data/reusables/repositories/you-can-fork.md index 085a45dc1404..8db7307364b3 100644 --- a/data/reusables/repositories/you-can-fork.md +++ b/data/reusables/repositories/you-can-fork.md @@ -2,5 +2,5 @@ You can fork a private or internal repository to your personal account or to an organization on {% data variables.product.prodname_dotcom %} where you have permission to create repositories, provided that the settings for the repository and your enterprise policies allow forking. Generally, you can fork any public repository to your personal account or to an organization where you have permission to create repositories{% ifversion ghec %}, unless you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}{% endif %}. {% elsif fpt %} -You can fork any public repository to your personal account, or to an organization where you have permission to create repositories. If you have access to a private repository and the owner permits forking, you can fork the repository to your personal account, or to an organization on {% data variables.product.prodname_team %} where you have permission to create repositories. You cannot fork a private repository to an organization using {% data variables.product.prodname_free_team %}. For more information about {% data variables.product.prodname_team %} and {% data variables.product.prodname_free_team %}, see "[AUTOTITLE](/get-started/learning-about-github/githubs-plans)." +You can fork any public repository to your personal account, or to an organization where you have permission to create repositories. If you have access to a private repository and the owner permits forking, you can fork the repository to your personal account, or to an organization on {% data variables.product.prodname_team %} where you have permission to create repositories. You cannot fork a private repository to an organization using {% data variables.product.prodname_free_team %}. For more information about {% data variables.product.prodname_team %} and {% data variables.product.prodname_free_team %}, see [AUTOTITLE](/get-started/learning-about-github/githubs-plans). {% endif %} diff --git a/data/reusables/rest-api/permission-header.md b/data/reusables/rest-api/permission-header.md index 53672d977a88..ab9b265d0b93 100644 --- a/data/reusables/rest-api/permission-header.md +++ b/data/reusables/rest-api/permission-header.md @@ -1,5 +1,5 @@ {% ifversion rest-permissions-header %} -To help you choose the correct permissions, you will receive the `X-Accepted-GitHub-Permissions` header in the REST API response. The header will tell you what permissions are required in order to access the endpoint. For more information, see "[AUTOTITLE](/rest/overview/troubleshooting#resource-not-accessible)." +To help you choose the correct permissions, you will receive the `X-Accepted-GitHub-Permissions` header in the REST API response. The header will tell you what permissions are required in order to access the endpoint. For more information, see [AUTOTITLE](/rest/overview/troubleshooting#resource-not-accessible). {% endif %} diff --git a/data/reusables/rest-api/secondary-rate-limit-rest-graphql.md b/data/reusables/rest-api/secondary-rate-limit-rest-graphql.md index 4f747331fc7f..5ce6995cb118 100644 --- a/data/reusables/rest-api/secondary-rate-limit-rest-graphql.md +++ b/data/reusables/rest-api/secondary-rate-limit-rest-graphql.md @@ -3,7 +3,7 @@ In addition to primary rate limits, {% data variables.product.company_short %} e You may encounter a secondary rate limit if you: * _Make too many concurrent requests._ No more than 100 concurrent requests are allowed. This limit is shared across the REST API and GraphQL API. -* _Make too many requests to a single endpoint per minute._ No more than 900 points per minute are allowed for REST API endpoints, and no more than 2,000 points per minute are allowed for the GraphQL API endpoint. For more information about points, see "[Calculating points for the secondary rate limit](#calculating-points-for-the-secondary-rate-limit)." +* _Make too many requests to a single endpoint per minute._ No more than 900 points per minute are allowed for REST API endpoints, and no more than 2,000 points per minute are allowed for the GraphQL API endpoint. For more information about points, see [Calculating points for the secondary rate limit](#calculating-points-for-the-secondary-rate-limit). * _Make too many requests per minute._ No more than 90 seconds of CPU time per 60 seconds of real time is allowed. No more than 60 seconds of this CPU time may be for the GraphQL API. You can roughly estimate the CPU time by measuring the total response time for your API requests. * _Make too many requests that consume excessive compute resources in a short period of time._ * _Create too much content on {% data variables.product.company_short %} in a short amount of time._ In general, no more than 80 content-generating requests per minute and no more than 500 content-generating requests per hour are allowed. Some endpoints have lower content creation limits. Content creation limits include actions taken on the {% data variables.product.company_short %} web interface as well as via the REST API and GraphQL API. diff --git a/data/reusables/saml/authenticate-with-saml-at-least-once.md b/data/reusables/saml/authenticate-with-saml-at-least-once.md index 5f875ce71ae6..06f8ff59ca78 100644 --- a/data/reusables/saml/authenticate-with-saml-at-least-once.md +++ b/data/reusables/saml/authenticate-with-saml-at-least-once.md @@ -1 +1 @@ -If you don't see **Configure SSO**, ensure that you have authenticated at least once through your SAML IdP to access resources on {% data variables.product.github %}. For more information, see "[AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on)." +If you don't see **Configure SSO**, ensure that you have authenticated at least once through your SAML IdP to access resources on {% data variables.product.github %}. For more information, see [AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on). diff --git a/data/reusables/saml/authentication-loop.md b/data/reusables/saml/authentication-loop.md index 27e82269313f..69c0d7c9d1de 100644 --- a/data/reusables/saml/authentication-loop.md +++ b/data/reusables/saml/authentication-loop.md @@ -4,4 +4,4 @@ If users are repeatedly redirected to the SAML authentication prompt in a loop, The `SessionNotOnOrAfter` value sent in a SAML response determines when a user will be redirected back to the IdP to authenticate. If a SAML session duration is configured for 2 hours or less, {% data variables.product.prodname_dotcom %} will refresh a SAML session 5 minutes before it expires. If your session duration is configured as 5 minutes or less, users can get stuck in a SAML authentication loop. -To fix this problem, we recommend configuring a minimum SAML session duration of 4 hours. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/saml-configuration-reference#session-duration-and-timeout)." +To fix this problem, we recommend configuring a minimum SAML session duration of 4 hours. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/saml-configuration-reference#session-duration-and-timeout). diff --git a/data/reusables/saml/authorized-creds-info.md b/data/reusables/saml/authorized-creds-info.md index 5ae13046ddf7..8570c945458d 100644 --- a/data/reusables/saml/authorized-creds-info.md +++ b/data/reusables/saml/authorized-creds-info.md @@ -1,4 +1,4 @@ -Before you can authorize a {% data variables.product.pat_generic %} or SSH key, you must have a linked SAML identity. If you're a member of an organization where SAML SSO is enabled, you can create a linked identity by authenticating to your organization with your IdP at least once. For more information, see "[AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on)." +Before you can authorize a {% data variables.product.pat_generic %} or SSH key, you must have a linked SAML identity. If you're a member of an organization where SAML SSO is enabled, you can create a linked identity by authenticating to your organization with your IdP at least once. For more information, see [AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on). After you authorize a {% data variables.product.pat_generic %} or SSH key, the token or key will stay authorized until revoked in one of the following ways. * An organization or enterprise owner revokes the authorization. diff --git a/data/reusables/saml/create-a-machine-user.md b/data/reusables/saml/create-a-machine-user.md index bfceee863d6d..824ba759e8aa 100644 --- a/data/reusables/saml/create-a-machine-user.md +++ b/data/reusables/saml/create-a-machine-user.md @@ -1 +1 @@ -You must create and use a dedicated machine user account on your IdP to associate with an enterprise owner account on {% data variables.product.product_name %}. Store the credentials for the user account securely in a password manager. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise#enabling-user-provisioning-for-your-enterprise)." +You must create and use a dedicated machine user account on your IdP to associate with an enterprise owner account on {% data variables.product.product_name %}. Store the credentials for the user account securely in a password manager. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise#enabling-user-provisioning-for-your-enterprise). diff --git a/data/reusables/saml/current-time-earlier-than-notbefore-condition.md b/data/reusables/saml/current-time-earlier-than-notbefore-condition.md index 1e7f25f7c7c4..a8e470ba3a0d 100644 --- a/data/reusables/saml/current-time-earlier-than-notbefore-condition.md +++ b/data/reusables/saml/current-time-earlier-than-notbefore-condition.md @@ -2,6 +2,6 @@ This error can occur when there's too large of a time difference between your IdP and {% data variables.product.product_name %}, which commonly occurs with self-hosted IdPs. -{% ifversion ghes %}To prevent this problem, we recommend pointing your appliance to the same Network Time Protocol (NTP) source as your IdP, if possible. {% endif %}If you encounter this error, make sure the time on your {% ifversion ghes %}appliance{% else %}IdP{% endif %} is properly synced with your NTP server. {% ifversion ghes %}You can use the `chronyc` command on the administrative shell to synchronize time immediately. For more information, see "[AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-time-synchronization#correcting-a-large-time-drift)."{% endif %} +{% ifversion ghes %}To prevent this problem, we recommend pointing your appliance to the same Network Time Protocol (NTP) source as your IdP, if possible. {% endif %}If you encounter this error, make sure the time on your {% ifversion ghes %}appliance{% else %}IdP{% endif %} is properly synced with your NTP server. {% ifversion ghes %}You can use the `chronyc` command on the administrative shell to synchronize time immediately. For more information, see [AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-time-synchronization#correcting-a-large-time-drift).{% endif %} If you use ADFS as your IdP, also set `NotBeforeSkew` in ADFS to 1 minute for {% data variables.product.prodname_dotcom %}. If `NotBeforeSkew` is set to 0, even very small time differences, including milliseconds, can cause authentication problems. diff --git a/data/reusables/saml/ghes-you-must-configure-saml-sso.md b/data/reusables/saml/ghes-you-must-configure-saml-sso.md index ad73f790d3de..1a19dadb59af 100644 --- a/data/reusables/saml/ghes-you-must-configure-saml-sso.md +++ b/data/reusables/saml/ghes-you-must-configure-saml-sso.md @@ -1 +1 @@ -You must configure SAML SSO for {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise)." +You must configure SAML SSO for {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise). diff --git a/data/reusables/saml/must-authorize-linked-identity.md b/data/reusables/saml/must-authorize-linked-identity.md index 4697c484ca5a..cd478ccd58e7 100644 --- a/data/reusables/saml/must-authorize-linked-identity.md +++ b/data/reusables/saml/must-authorize-linked-identity.md @@ -1,2 +1,2 @@ > [!NOTE] -> If you have a linked identity for an organization, you can only use authorized {% data variables.product.pat_generic %}s and SSH keys with that organization, even if SAML is not enforced. You have a linked identity for an organization if you've ever authenticated via SAML SSO for that organization, unless an organization or enterprise owner later revoked the linked identity. For more information about revoking linked identities, see "[AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)" and "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)." +> If you have a linked identity for an organization, you can only use authorized {% data variables.product.pat_generic %}s and SSH keys with that organization, even if SAML is not enforced. You have a linked identity for an organization if you've ever authenticated via SAML SSO for that organization, unless an organization or enterprise owner later revoked the linked identity. For more information about revoking linked identities, see [AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization) and [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise). diff --git a/data/reusables/saml/no-scim-for-enterprises.md b/data/reusables/saml/no-scim-for-enterprises.md index d38ac64856d9..7b5a32e96e1e 100644 --- a/data/reusables/saml/no-scim-for-enterprises.md +++ b/data/reusables/saml/no-scim-for-enterprises.md @@ -1,8 +1,8 @@ {% ifversion ghec %} > [!NOTE] -> You cannot configure SCIM for your enterprise account unless your account was created for {% data variables.product.prodname_emus %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)." +> You cannot configure SCIM for your enterprise account unless your account was created for {% data variables.product.prodname_emus %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users). > -> If you do not use {% data variables.product.prodname_emus %}, and you want to use SCIM provisioning, you must configure SAML SSO at the organization level, not the enterprise level. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)." +> If you do not use {% data variables.product.prodname_emus %}, and you want to use SCIM provisioning, you must configure SAML SSO at the organization level, not the enterprise level. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on). {% endif %} diff --git a/data/reusables/saml/okta-edit-provisioning.md b/data/reusables/saml/okta-edit-provisioning.md index bb531cf84920..0ae36891b280 100644 --- a/data/reusables/saml/okta-edit-provisioning.md +++ b/data/reusables/saml/okta-edit-provisioning.md @@ -1,4 +1,4 @@ -1. To avoid syncing errors and confirm that your users have SAML enabled and SCIM linked identities, we recommend you audit your organization's users. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization)." +1. To avoid syncing errors and confirm that your users have SAML enabled and SCIM linked identities, we recommend you audit your organization's users. For more information, see [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization). 1. To the right of "Provisioning to App", click **Edit**. 1. To the right of "Create Users," select **Enable**. diff --git a/data/reusables/saml/outside-collaborators-exemption.md b/data/reusables/saml/outside-collaborators-exemption.md index da0ee78b56ee..394417801b9c 100644 --- a/data/reusables/saml/outside-collaborators-exemption.md +++ b/data/reusables/saml/outside-collaborators-exemption.md @@ -1,2 +1,2 @@ > [!NOTE] -> SAML authentication is not required for outside collaborators. For more information about outside collaborators, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators)." +> SAML authentication is not required for outside collaborators. For more information about outside collaborators, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#outside-collaborators). diff --git a/data/reusables/saml/saml-accounts.md b/data/reusables/saml/saml-accounts.md index 7e3a87806fa1..f8422db900f4 100644 --- a/data/reusables/saml/saml-accounts.md +++ b/data/reusables/saml/saml-accounts.md @@ -1,4 +1,4 @@ -If you configure SAML SSO, members of your organization will continue to sign into their personal accounts on {% data variables.product.prodname_dotcom_the_website %}. When a member accesses most resources within your organization, {% data variables.product.prodname_dotcom %} redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on)." +If you configure SAML SSO, members of your organization will continue to sign into their personal accounts on {% data variables.product.prodname_dotcom_the_website %}. When a member accesses most resources within your organization, {% data variables.product.prodname_dotcom %} redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on). > [!NOTE] > SAML SSO does not replace the normal sign-in process for {% data variables.product.prodname_dotcom %}. Unless you use {% data variables.product.prodname_emus %}, members will continue to sign into their personal accounts on {% data variables.product.prodname_dotcom_the_website %}, and each personal account will be linked to an external identity in your IdP. diff --git a/data/reusables/saml/saml-ghes-account-revocation.md b/data/reusables/saml/saml-ghes-account-revocation.md index 3414df8fb983..fb87f5cb0c6a 100644 --- a/data/reusables/saml/saml-ghes-account-revocation.md +++ b/data/reusables/saml/saml-ghes-account-revocation.md @@ -1,5 +1,5 @@ {% ifversion ghes %} -With JIT provisioning, if you remove a user from your IdP, you must also manually suspend the user's account on {% data variables.location.product_location %}. Otherwise, the account's owner can continue to authenticate using access tokens or SSH keys. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/suspending-and-unsuspending-users)". +With JIT provisioning, if you remove a user from your IdP, you must also manually suspend the user's account on {% data variables.location.product_location %}. Otherwise, the account's owner can continue to authenticate using access tokens or SSH keys. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/suspending-and-unsuspending-users). {% endif %} diff --git a/data/reusables/saml/saml-session-oauth.md b/data/reusables/saml/saml-session-oauth.md index c1359ad5a22d..fb3edcc45694 100644 --- a/data/reusables/saml/saml-session-oauth.md +++ b/data/reusables/saml/saml-session-oauth.md @@ -1 +1 @@ -If you belong to any organizations that enforce SAML single sign-on, you may be prompted to authenticate through your identity provider before you can authorize an {% data variables.product.prodname_oauth_app %}. For more information about SAML, see "[AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} +If you belong to any organizations that enforce SAML single sign-on, you may be prompted to authenticate through your identity provider before you can authorize an {% data variables.product.prodname_oauth_app %}. For more information about SAML, see [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %} diff --git a/data/reusables/saml/use-api-to-get-externalidentity.md b/data/reusables/saml/use-api-to-get-externalidentity.md index b94c5989ce1f..36feac3f2781 100644 --- a/data/reusables/saml/use-api-to-get-externalidentity.md +++ b/data/reusables/saml/use-api-to-get-externalidentity.md @@ -1 +1 @@ -1. Use the GraphQL API to retrieve the `ExternalIdentity` for each member. For more information, see "[AUTOTITLE](/graphql/overview/about-the-graphql-api)" and "[AUTOTITLE](/graphql/reference/objects#externalidentity)" in the GraphQL API documentation. +1. Use the GraphQL API to retrieve the `ExternalIdentity` for each member. For more information, see [AUTOTITLE](/graphql/overview/about-the-graphql-api) and [AUTOTITLE](/graphql/reference/objects#externalidentity) in the GraphQL API documentation. diff --git a/data/reusables/saml/you-must-periodically-authenticate.md b/data/reusables/saml/you-must-periodically-authenticate.md index 5aa3092a7c75..0330e8c11550 100644 --- a/data/reusables/saml/you-must-periodically-authenticate.md +++ b/data/reusables/saml/you-must-periodically-authenticate.md @@ -1 +1 @@ -You must periodically authenticate with your SAML IdP to authenticate and gain access to the organization's resources on {% data variables.product.prodname_dotcom %}. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings. For more information, see "[AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/viewing-and-managing-your-active-saml-sessions)." +You must periodically authenticate with your SAML IdP to authenticate and gain access to the organization's resources on {% data variables.product.prodname_dotcom %}. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings. For more information, see [AUTOTITLE](/authentication/authenticating-with-saml-single-sign-on/viewing-and-managing-your-active-saml-sessions). diff --git a/data/reusables/scim/emu-prerequisite-authentication.md b/data/reusables/scim/emu-prerequisite-authentication.md index 73ed8d333dfe..d72008ef97a3 100644 --- a/data/reusables/scim/emu-prerequisite-authentication.md +++ b/data/reusables/scim/emu-prerequisite-authentication.md @@ -1 +1 @@ -Before you configure provisioning, you must configure authentication for your users. This configuration requires setup on both your identity management system and {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users)." +Before you configure provisioning, you must configure authentication for your users. This configuration requires setup on both your identity management system and {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users). diff --git a/data/reusables/scim/emu-scim-rate-limit.md b/data/reusables/scim/emu-scim-rate-limit.md index b113dc48dcb3..c26453c3626b 100644 --- a/data/reusables/scim/emu-scim-rate-limit.md +++ b/data/reusables/scim/emu-scim-rate-limit.md @@ -1,2 +1,2 @@ > [!NOTE] -> {% data reusables.scim.emu-scim-rate-limit-details %} For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/troubleshooting-identity-and-access-management-for-your-enterprise#scim-provisioning-errors)." +> {% data reusables.scim.emu-scim-rate-limit-details %} For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/troubleshooting-identity-and-access-management-for-your-enterprise#scim-provisioning-errors). diff --git a/data/reusables/scim/enterprise-account-scim.md b/data/reusables/scim/enterprise-account-scim.md index 4f3fdf04e360..9d050d5fb9f3 100644 --- a/data/reusables/scim/enterprise-account-scim.md +++ b/data/reusables/scim/enterprise-account-scim.md @@ -1 +1 @@ -You cannot use this implementation of SCIM with an enterprise account or with an {% data variables.enterprise.prodname_emu_org %}. If your enterprise is enabled for {% data variables.product.prodname_emus %}, you must use a different implementation of SCIM. Otherwise, SCIM is not available at the enterprise level. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users)." +You cannot use this implementation of SCIM with an enterprise account or with an {% data variables.enterprise.prodname_emu_org %}. If your enterprise is enabled for {% data variables.product.prodname_emus %}, you must use a different implementation of SCIM. Otherwise, SCIM is not available at the enterprise level. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users). diff --git a/data/reusables/scim/ghec-open-scim-operation-differentiation.md b/data/reusables/scim/ghec-open-scim-operation-differentiation.md index b2ee52efbcc7..fe4c95e135df 100644 --- a/data/reusables/scim/ghec-open-scim-operation-differentiation.md +++ b/data/reusables/scim/ghec-open-scim-operation-differentiation.md @@ -1 +1 @@ -These endpoints allow you to provision user accounts for your enterprise on {% data variables.product.prodname_ghe_cloud %} using SCIM. The operation is only available for use with {% data variables.product.prodname_emus %}. If you don't use {% data variables.product.prodname_emus %} and want to provision access to your organizations using SCIM, see "[AUTOTITLE](/rest/enterprise-admin/scim)." +These endpoints allow you to provision user accounts for your enterprise on {% data variables.product.prodname_ghe_cloud %} using SCIM. The operation is only available for use with {% data variables.product.prodname_emus %}. If you don't use {% data variables.product.prodname_emus %} and want to provision access to your organizations using SCIM, see [AUTOTITLE](/rest/enterprise-admin/scim). diff --git a/data/reusables/scim/ghes-beta-note.md b/data/reusables/scim/ghes-beta-note.md index a93e819a7a94..02d0e930baf4 100644 --- a/data/reusables/scim/ghes-beta-note.md +++ b/data/reusables/scim/ghes-beta-note.md @@ -1,11 +1,11 @@ {% ifversion scim-for-ghes-public-beta %} ->[!NOTE] SCIM for {% data variables.product.product_name %} is currently in {% data variables.release-phases.public_preview %} and subject to change. {% data variables.product.company_short %} recommends testing with a staging instance first. See "[AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)." +>[!NOTE] SCIM for {% data variables.product.product_name %} is currently in {% data variables.release-phases.public_preview %} and subject to change. {% data variables.product.company_short %} recommends testing with a staging instance first. See [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance). {% elsif ghes < 3.14 %} >[!NOTE] This is an outdated, {% data variables.release-phases.private_preview %} version of SCIM for {% data variables.product.product_name %}. Customers must upgrade to 3.14 or newer and use the {% data variables.product.product_name %} SCIM {% data variables.release-phases.public_preview %} in order for their SCIM feedback or bug reports to be considered. ->[!WARNING] The {% data variables.release-phases.public_preview %} is exclusively for testing and feedback, and no support is available. {% data variables.product.company_short %} recommends testing with a staging instance. For more information, see "[AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance)." +>[!WARNING] The {% data variables.release-phases.public_preview %} is exclusively for testing and feedback, and no support is available. {% data variables.product.company_short %} recommends testing with a staging instance. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance). {% endif %} diff --git a/data/reusables/scim/organization-rest-api-ghec-deployment-option.md b/data/reusables/scim/organization-rest-api-ghec-deployment-option.md index b0af51674215..e7e47081e103 100644 --- a/data/reusables/scim/organization-rest-api-ghec-deployment-option.md +++ b/data/reusables/scim/organization-rest-api-ghec-deployment-option.md @@ -1,2 +1,2 @@ > [!NOTE] -> This operation allows you to provision access to an organization on {% data variables.product.prodname_ghe_cloud %} using SCIM. The operation is not available for use with {% data variables.product.prodname_emus %}. For more information about provisioning {% data variables.enterprise.prodname_managed_users %} using SCIM, see "[AUTOTITLE](/rest/enterprise-admin/scim)." +> This operation allows you to provision access to an organization on {% data variables.product.prodname_ghe_cloud %} using SCIM. The operation is not available for use with {% data variables.product.prodname_emus %}. For more information about provisioning {% data variables.enterprise.prodname_managed_users %} using SCIM, see [AUTOTITLE](/rest/enterprise-admin/scim). diff --git a/data/reusables/scim/public-scim-more-info-about-deprovisioning-and-reactivating.md b/data/reusables/scim/public-scim-more-info-about-deprovisioning-and-reactivating.md index f06293c5a347..8d55d6e07e79 100644 --- a/data/reusables/scim/public-scim-more-info-about-deprovisioning-and-reactivating.md +++ b/data/reusables/scim/public-scim-more-info-about-deprovisioning-and-reactivating.md @@ -1 +1 @@ -For more information, see "[Soft-deprovisioning users with the REST API](#soft-deprovisioning-users-with-the-rest-api)" and "[Reactivating users with the REST API](#reactivating-users-with-the-rest-api)." +For more information, see [Soft-deprovisioning users with the REST API](#soft-deprovisioning-users-with-the-rest-api) and [Reactivating users with the REST API](#reactivating-users-with-the-rest-api). diff --git a/data/reusables/search/date_gt_lt.md b/data/reusables/search/date_gt_lt.md index cb3ff27d3833..921cffe335e1 100644 --- a/data/reusables/search/date_gt_lt.md +++ b/data/reusables/search/date_gt_lt.md @@ -1 +1 @@ -When you search for a date, you can use greater than, less than, and range qualifiers to further filter results. For more information, see "[AUTOTITLE](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax)." +When you search for a date, you can use greater than, less than, and range qualifiers to further filter results. For more information, see [AUTOTITLE](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax). diff --git a/data/reusables/search/non-code-search-explanation.md b/data/reusables/search/non-code-search-explanation.md index ef9a04224b13..464fc341d3b1 100644 --- a/data/reusables/search/non-code-search-explanation.md +++ b/data/reusables/search/non-code-search-explanation.md @@ -1 +1 @@ -Note that the syntax and qualifiers for searching for non-code content, such as issues, users, and discussions, is not the same as the syntax for code search. For more information on non-code search, see "[AUTOTITLE](/search-github/getting-started-with-searching-on-github/about-searching-on-github)" and "[AUTOTITLE](/search-github/searching-on-github)." +Note that the syntax and qualifiers for searching for non-code content, such as issues, users, and discussions, is not the same as the syntax for code search. For more information on non-code search, see [AUTOTITLE](/search-github/getting-started-with-searching-on-github/about-searching-on-github) and [AUTOTITLE](/search-github/searching-on-github). diff --git a/data/reusables/search/requested_reviews_search.md b/data/reusables/search/requested_reviews_search.md index 52116ed91316..394caf94df7d 100644 --- a/data/reusables/search/requested_reviews_search.md +++ b/data/reusables/search/requested_reviews_search.md @@ -1 +1 @@ -You can find a pull request where you or a team you're a member of is requested for review with the search qualifier `review-requested:[USERNAME]` or `team-review-requested:[TEAMNAME]`. For more information, see "[AUTOTITLE](/search-github/searching-on-github/searching-issues-and-pull-requests)." +You can find a pull request where you or a team you're a member of is requested for review with the search qualifier `review-requested:[USERNAME]` or `team-review-requested:[TEAMNAME]`. For more information, see [AUTOTITLE](/search-github/searching-on-github/searching-issues-and-pull-requests). diff --git a/data/reusables/search/requested_reviews_search_tip.md b/data/reusables/search/requested_reviews_search_tip.md index b7d581a53d6f..8a6ecf2e0f50 100644 --- a/data/reusables/search/requested_reviews_search_tip.md +++ b/data/reusables/search/requested_reviews_search_tip.md @@ -1,2 +1,2 @@ > [!TIP] -> You can find a pull request where you or a team you're a member of is requested for review with the search qualifier `review-requested:[USERNAME]` or `team-review-requested:[TEAMNAME]`. For more information, see "[AUTOTITLE](/search-github/searching-on-github/searching-issues-and-pull-requests)." +> You can find a pull request where you or a team you're a member of is requested for review with the search qualifier `review-requested:[USERNAME]` or `team-review-requested:[TEAMNAME]`. For more information, see [AUTOTITLE](/search-github/searching-on-github/searching-issues-and-pull-requests). diff --git a/data/reusables/search/search_issues_and_pull_requests_shortcut.md b/data/reusables/search/search_issues_and_pull_requests_shortcut.md index 98f5077b2e48..01ea200878bd 100644 --- a/data/reusables/search/search_issues_and_pull_requests_shortcut.md +++ b/data/reusables/search/search_issues_and_pull_requests_shortcut.md @@ -1 +1 @@ -You can focus your cursor on the search bar above the issue or pull request list with a keyboard shortcut. For more information, see "[AUTOTITLE](/get-started/accessibility/keyboard-shortcuts#issue-and-pull-request-lists)." +You can focus your cursor on the search bar above the issue or pull request list with a keyboard shortcut. For more information, see [AUTOTITLE](/get-started/accessibility/keyboard-shortcuts#issue-and-pull-request-lists). diff --git a/data/reusables/search/syntax_tips.md b/data/reusables/search/syntax_tips.md index 7cfe15d39dbc..4ff59b106870 100644 --- a/data/reusables/search/syntax_tips.md +++ b/data/reusables/search/syntax_tips.md @@ -2,5 +2,5 @@ {% ifversion ghes %} > * This article contains links to example searches on the {% data variables.product.prodname_dotcom_the_website %} website, but you can use the same search filters with {% data variables.product.product_name %}. In the linked example searches, replace `github.com` with the hostname for {% data variables.location.product_location %}. {% endif %} -> * For a list of search syntaxes that you can add to any search qualifier to further improve your results, see "[AUTOTITLE](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax)". +> * For a list of search syntaxes that you can add to any search qualifier to further improve your results, see [AUTOTITLE](/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax). > * Use quotations around multi-word search terms. For example, if you want to search for issues with the label "In progress," you'd search for `label:"in progress"`. Search is not case sensitive. diff --git a/data/reusables/secret-scanning/alert-type-links.md b/data/reusables/secret-scanning/alert-type-links.md index d7c998acc2e2..d8947273130d 100644 --- a/data/reusables/secret-scanning/alert-type-links.md +++ b/data/reusables/secret-scanning/alert-type-links.md @@ -1 +1 @@ -For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts){% elsif ghes %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts){% endif %}." +For more information, see {% ifversion fpt or ghec %}"[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-user-alerts){% elsif ghes %}[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts#about-secret-scanning-alerts){% endif %}. diff --git a/data/reusables/secret-scanning/audit-secret-scanning-events.md b/data/reusables/secret-scanning/audit-secret-scanning-events.md index 6e2211b543ba..c52f9d67c878 100644 --- a/data/reusables/secret-scanning/audit-secret-scanning-events.md +++ b/data/reusables/secret-scanning/audit-secret-scanning-events.md @@ -1 +1 @@ -You can audit the actions taken in response to {% data variables.product.prodname_secret_scanning %} alerts using {% data variables.product.prodname_dotcom %} tools. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)." +You can audit the actions taken in response to {% data variables.product.prodname_secret_scanning %} alerts using {% data variables.product.prodname_dotcom %} tools. For more information, see [AUTOTITLE](/code-security/getting-started/auditing-security-alerts). diff --git a/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md b/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md index a794b142e24a..8f033ee835e4 100644 --- a/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md +++ b/data/reusables/secret-scanning/dry-runs-enterprise-permissions.md @@ -1 +1 @@ -You can only perform a dry run on repositories that you have administration access to. If an enterprise owner wants access to perform dry runs on any repository in an organization, they must be assigned the organization owner role. For more information, see "[AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise)." +You can only perform a dry run on repositories that you have administration access to. If an enterprise owner wants access to perform dry runs on any repository in an organization, they must be assigned the organization owner role. For more information, see [AUTOTITLE](/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise). diff --git a/data/reusables/secret-scanning/enterprise-enable-secret-scanning.md b/data/reusables/secret-scanning/enterprise-enable-secret-scanning.md index da15e6d0215a..6af5cc3aedcb 100644 --- a/data/reusables/secret-scanning/enterprise-enable-secret-scanning.md +++ b/data/reusables/secret-scanning/enterprise-enable-secret-scanning.md @@ -1,8 +1,8 @@ {% ifversion ghes %} > [!NOTE] -> Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for the instance before you can use this feature. For more information, see "[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance)." +> Your site administrator must enable {% data variables.product.prodname_secret_scanning %} for the instance before you can use this feature. For more information, see [AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-secret-scanning-for-your-appliance). > -> You may not be able to enable or disable {% data variables.product.prodname_secret_scanning %}, if an enterprise owner has set a policy at the enterprise level. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise)." +> You may not be able to enable or disable {% data variables.product.prodname_secret_scanning %}, if an enterprise owner has set a policy at the enterprise level. For more information, see [AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise). {% endif %} diff --git a/data/reusables/secret-scanning/link-to-push-protection.md b/data/reusables/secret-scanning/link-to-push-protection.md index 5975dd27ff60..af54281313c7 100644 --- a/data/reusables/secret-scanning/link-to-push-protection.md +++ b/data/reusables/secret-scanning/link-to-push-protection.md @@ -1 +1 @@ -You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see "[Enabling push protection for a custom pattern](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns#enabling-push-protection-for-a-custom-pattern)." +You can configure {% data variables.product.prodname_secret_scanning %} to check pushes for custom patterns before commits are merged into the default branch. For more information, see [Enabling push protection for a custom pattern](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/managing-custom-patterns#enabling-push-protection-for-a-custom-pattern). diff --git a/data/reusables/secret-scanning/partner-program-link.md b/data/reusables/secret-scanning/partner-program-link.md index 4d358da42e48..b6554a9eac25 100644 --- a/data/reusables/secret-scanning/partner-program-link.md +++ b/data/reusables/secret-scanning/partner-program-link.md @@ -1,5 +1,5 @@ {% ifversion fpt or ghec %} -To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)." +To find out about our partner program, see [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program). {% else %} -To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +To find out about our partner program, see [AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program) in the {% data variables.product.prodname_ghe_cloud %} documentation. {% endif %} diff --git a/data/reusables/secret-scanning/push-protection-allow-secrets-alerts.md b/data/reusables/secret-scanning/push-protection-allow-secrets-alerts.md index 39009a081ba3..35ed2f133385 100644 --- a/data/reusables/secret-scanning/push-protection-allow-secrets-alerts.md +++ b/data/reusables/secret-scanning/push-protection-allow-secrets-alerts.md @@ -1 +1 @@ -When you allow a secret to be pushed, an alert is created in the **Security** tab. {% data variables.product.prodname_dotcom %} closes the alert and doesn't send a notification if you specify that the secret is a false positive or used only in tests. If you specify that the secret is real and that you will fix it later, {% data variables.product.prodname_dotcom %} keeps the security alert open and sends notifications to the author of the commit, as well as to repository administrators. For more information, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)." +When you allow a secret to be pushed, an alert is created in the **Security** tab. {% data variables.product.prodname_dotcom %} closes the alert and doesn't send a notification if you specify that the secret is a false positive or used only in tests. If you specify that the secret is real and that you will fix it later, {% data variables.product.prodname_dotcom %} keeps the security alert open and sends notifications to the author of the commit, as well as to repository administrators. For more information, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning). diff --git a/data/reusables/secret-scanning/push-protection-enterprise-note.md b/data/reusables/secret-scanning/push-protection-enterprise-note.md index e780bc770143..b06fd932e33f 100644 --- a/data/reusables/secret-scanning/push-protection-enterprise-note.md +++ b/data/reusables/secret-scanning/push-protection-enterprise-note.md @@ -1,3 +1,3 @@ > [!NOTE] -> * To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-your-enterprise)." +> * To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-your-enterprise). > * Enabling push protection for commonly found custom patterns can be disruptive to contributors. diff --git a/data/reusables/secret-scanning/push-protection-org-notes.md b/data/reusables/secret-scanning/push-protection-org-notes.md index b15d2405f563..76c1e6c4fb22 100644 --- a/data/reusables/secret-scanning/push-protection-org-notes.md +++ b/data/reusables/secret-scanning/push-protection-org-notes.md @@ -1,4 +1,4 @@ > [!NOTE] > * The option to enable push protection is visible for published patterns only. -> * Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization)." +> * Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization). > * Enabling push protection for commonly found custom patterns can be disruptive to contributors. diff --git a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md index 3380b58a469f..1b3cfdc0b01d 100644 --- a/data/reusables/secret-scanning/push-protection-public-repos-bypass.md +++ b/data/reusables/secret-scanning/push-protection-public-repos-bypass.md @@ -5,6 +5,6 @@ > > When pushing to a _public_ repository that doesn't have secret scanning enabled, you are still protected from accidentally pushing secrets thanks to _push protection for users_, which is on by default for your user account. > - > With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)." + > With push protection for users, GitHub will automatically block pushes to public repositories if these pushes contain supported secrets, but you won't need to specify a reason for allowing the secret, and {% data variables.product.prodname_dotcom %} won't generate an alert. For more information, see [AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users). {% endif %} diff --git a/data/reusables/secret-scanning/secret-scanning-enterprise-level-api.md b/data/reusables/secret-scanning/secret-scanning-enterprise-level-api.md index ae6501e9a00c..03e4381e379f 100644 --- a/data/reusables/secret-scanning/secret-scanning-enterprise-level-api.md +++ b/data/reusables/secret-scanning/secret-scanning-enterprise-level-api.md @@ -1 +1 @@ -You can also enable or disable {% data variables.product.prodname_advanced_security %} features via the API. For more information, see "[AUTOTITLE](/rest/secret-scanning#enable-or-disable-security-features-for-an-enterprise)" in the REST API documentation. +You can also enable or disable {% data variables.product.prodname_advanced_security %} features via the API. For more information, see [AUTOTITLE](/rest/secret-scanning#enable-or-disable-security-features-for-an-enterprise) in the REST API documentation. diff --git a/data/reusables/secret-scanning/view-custom-pattern.md b/data/reusables/secret-scanning/view-custom-pattern.md index be93ccf9d8cd..35957abf6e75 100644 --- a/data/reusables/secret-scanning/view-custom-pattern.md +++ b/data/reusables/secret-scanning/view-custom-pattern.md @@ -1,3 +1,3 @@ 1. Navigate to where the custom pattern was created. A custom pattern can be created in a repository, organization, or enterprise account. - * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see "[Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository)" or "[Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization)". - * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see "[Defining a custom pattern for an enterprise account](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account)." + * For a repository or organization, display the "Security & analysis" settings for the repository or organization where the custom pattern was created. For more information, see [Defining a custom pattern for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository) or [Defining a custom pattern for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization). + * For an enterprise, under "Policies" display the "Advanced Security" area, and then click **Security features**. For more information, see [Defining a custom pattern for an enterprise account](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account). diff --git a/data/reusables/security-advisory/link-browsing-advisory-db.md b/data/reusables/security-advisory/link-browsing-advisory-db.md index 45c87d77c45a..e084d3a38d21 100644 --- a/data/reusables/security-advisory/link-browsing-advisory-db.md +++ b/data/reusables/security-advisory/link-browsing-advisory-db.md @@ -1 +1 @@ -For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)." +For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database). diff --git a/data/reusables/security-advisory/private-vulnerability-api.md b/data/reusables/security-advisory/private-vulnerability-api.md index 48407e60d7e7..51b98f9e100f 100644 --- a/data/reusables/security-advisory/private-vulnerability-api.md +++ b/data/reusables/security-advisory/private-vulnerability-api.md @@ -1 +1 @@ -Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "[Privately report a security vulnerability](/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability)." +Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see [Privately report a security vulnerability](/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability). diff --git a/data/reusables/security-advisory/private-vulnerability-reporting-disabled.md b/data/reusables/security-advisory/private-vulnerability-reporting-disabled.md index 0ddf3d9eb746..d8b3775cc185 100644 --- a/data/reusables/security-advisory/private-vulnerability-reporting-disabled.md +++ b/data/reusables/security-advisory/private-vulnerability-reporting-disabled.md @@ -1,2 +1,2 @@ > [!NOTE] -> If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github)." +> If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github). diff --git a/data/reusables/security-advisory/private-vulnerability-reporting-enable.md b/data/reusables/security-advisory/private-vulnerability-reporting-enable.md index 3fe79290571c..4b64ebfc6f6b 100644 --- a/data/reusables/security-advisory/private-vulnerability-reporting-enable.md +++ b/data/reusables/security-advisory/private-vulnerability-reporting-enable.md @@ -1 +1 @@ -Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)." +Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository). diff --git a/data/reusables/security-advisory/reporting-a-vulnerability-non-admin.md b/data/reusables/security-advisory/reporting-a-vulnerability-non-admin.md index 05f90d79bb07..0c9fd6c15a47 100644 --- a/data/reusables/security-advisory/reporting-a-vulnerability-non-admin.md +++ b/data/reusables/security-advisory/reporting-a-vulnerability-non-admin.md @@ -4,9 +4,9 @@ 1. Fill in the advisory details form. > [!TIP] - > In this form, only the title and description are mandatory. (In the general draft security advisory form, which the repository maintainer initiates, specifying the ecosystem is also required.) However, we recommend security researchers provide as much information as possible on the form so that the maintainers can make an informed decision about the submitted report. You can adopt the template used by our security researchers from the {% data variables.product.prodname_security %}, which is available on the "[`github/securitylab` repository](https://github.com/github/securitylab/blob/main/docs/report-template.md)." + > In this form, only the title and description are mandatory. (In the general draft security advisory form, which the repository maintainer initiates, specifying the ecosystem is also required.) However, we recommend security researchers provide as much information as possible on the form so that the maintainers can make an informed decision about the submitted report. You can adopt the template used by our security researchers from the {% data variables.product.prodname_security %}, which is available on the [`github/securitylab` repository](https://github.com/github/securitylab/blob/main/docs/report-template.md). - For more information about the fields available and guidance on filling in the form, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)." + For more information about the fields available and guidance on filling in the form, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory) and [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories). 1. At the bottom of the form, click **Submit report**. {% data variables.product.prodname_dotcom %} will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory. diff --git a/data/reusables/security-advisory/repository-level-advisory-note.md b/data/reusables/security-advisory/repository-level-advisory-note.md index 99b078df658e..fb7f927ad71a 100644 --- a/data/reusables/security-advisory/repository-level-advisory-note.md +++ b/data/reusables/security-advisory/repository-level-advisory-note.md @@ -1,4 +1,4 @@ > [!NOTE] > This article applies to editing repository-level advisories as an owner of a public repository. > -> Users who are not repository owners can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)." +> Users who are not repository owners can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database). diff --git a/data/reusables/security-advisory/security-researcher-cannot-create-advisory.md b/data/reusables/security-advisory/security-researcher-cannot-create-advisory.md index be9570614881..c55350db8572 100644 --- a/data/reusables/security-advisory/security-researcher-cannot-create-advisory.md +++ b/data/reusables/security-advisory/security-researcher-cannot-create-advisory.md @@ -1,2 +1,2 @@ > [!NOTE] -> If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer. However, if private vulnerability reporting is enabled for the repository, you can _privately_ report a vulnerability yourself. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)." +> If you are a security researcher, you should directly contact maintainers to ask them to create security advisories or issue CVEs on your behalf in repositories that you don't administer. However, if private vulnerability reporting is enabled for the repository, you can _privately_ report a vulnerability yourself. For more information, see [AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). diff --git a/data/reusables/security-configurations/edit-configuration-next-step.md b/data/reusables/security-configurations/edit-configuration-next-step.md index bb6eb69ea438..84aa7d24c33f 100644 --- a/data/reusables/security-configurations/edit-configuration-next-step.md +++ b/data/reusables/security-configurations/edit-configuration-next-step.md @@ -1 +1 @@ -To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration)." +To learn how to edit your {% data variables.product.prodname_custom_security_configuration %}, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/editing-a-custom-security-configuration). diff --git a/data/reusables/security-configurations/enable-security-features-with-gh-config.md b/data/reusables/security-configurations/enable-security-features-with-gh-config.md index 11fe44f5b24b..45448dd345b1 100644 --- a/data/reusables/security-configurations/enable-security-features-with-gh-config.md +++ b/data/reusables/security-configurations/enable-security-features-with-gh-config.md @@ -1 +1 @@ -You can quickly enable security features at scale with {% ifversion security-configurations-cloud %}the {% data variables.product.prodname_github_security_configuration %}{% else %}a {% data variables.product.prodname_security_configuration %}{% endif %}, a collection of security enablement settings you can apply to repositories in an organization. You can then further customize {% data variables.product.prodname_GH_advanced_security %} features at the organization level with {% data variables.product.prodname_global_settings %}. See "[AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale)." +You can quickly enable security features at scale with {% ifversion security-configurations-cloud %}the {% data variables.product.prodname_github_security_configuration %}{% else %}a {% data variables.product.prodname_security_configuration %}{% endif %}, a collection of security enablement settings you can apply to repositories in an organization. You can then further customize {% data variables.product.prodname_GH_advanced_security %} features at the organization level with {% data variables.product.prodname_global_settings %}. See [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale). diff --git a/data/reusables/security-configurations/managing-GHAS-licenses.md b/data/reusables/security-configurations/managing-GHAS-licenses.md index beaf38038c30..86947a356ea5 100644 --- a/data/reusables/security-configurations/managing-GHAS-licenses.md +++ b/data/reusables/security-configurations/managing-GHAS-licenses.md @@ -1,2 +1,2 @@ >[!NOTE] -> With {% data variables.product.prodname_security_configurations %}, you can manage {% data variables.product.prodname_GH_advanced_security %} feature enablement and license usage for your organization. See "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage)." +> With {% data variables.product.prodname_security_configurations %}, you can manage {% data variables.product.prodname_GH_advanced_security %} feature enablement and license usage for your organization. See [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/managing-your-github-advanced-security-license-usage). diff --git a/data/reusables/security-configurations/troubleshooting-next-step.md b/data/reusables/security-configurations/troubleshooting-next-step.md index b8ca485bd428..eaa344147f0c 100644 --- a/data/reusables/security-configurations/troubleshooting-next-step.md +++ b/data/reusables/security-configurations/troubleshooting-next-step.md @@ -1 +1 @@ -You may encounter an error when you attempt to apply a {% data variables.product.prodname_security_configuration %}. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures)" and "[AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/)." +You may encounter an error when you attempt to apply a {% data variables.product.prodname_security_configuration %}. For more information, see [AUTOTITLE](/code-security/securing-your-organization/managing-the-security-of-your-organization/finding-repositories-with-attachment-failures) and [AUTOTITLE](/code-security/securing-your-organization/troubleshooting-security-configurations/). diff --git a/data/reusables/security-overview/enterprise-filters-tip.md b/data/reusables/security-overview/enterprise-filters-tip.md index 96826857b416..9e8d068ff421 100644 --- a/data/reusables/security-overview/enterprise-filters-tip.md +++ b/data/reusables/security-overview/enterprise-filters-tip.md @@ -1,2 +1,2 @@ > [!TIP] -> You can use the `owner` filter in the search field to filter the data by organization. {% ifversion ghec %}If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can use the `owner-type` filter to filter the data by the type of repository owner, so that you can view data from either organization-owned repositories or user-owned repositories. {% endif %}For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview#repository-owner-name-and-type-filters)." +> You can use the `owner` filter in the search field to filter the data by organization. {% ifversion ghec %}If you're an owner of an {% data variables.enterprise.prodname_emu_enterprise %}, you can use the `owner-type` filter to filter the data by the type of repository owner, so that you can view data from either organization-owned repositories or user-owned repositories. {% endif %}For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview#repository-owner-name-and-type-filters). diff --git a/data/reusables/security-overview/filter-and-toggle.md b/data/reusables/security-overview/filter-and-toggle.md index 72a4d3991c2e..961ea62da1d9 100644 --- a/data/reusables/security-overview/filter-and-toggle.md +++ b/data/reusables/security-overview/filter-and-toggle.md @@ -7,5 +7,5 @@ {% endif %} {% ifversion security-overview-3-tab-dashboard %}{% else %} -1. For the alert trends graph at the top of the page, you can click **{% octicon "shield" aria-hidden="true" %} Open alerts** or **{% octicon "shield-x" aria-hidden="true" %} Closed alerts** to toggle between showing the trends for open or closed alerts. The toggle will only affect the alert trends graph. For more information, see "[Alert trends graph](#alert-trends-graph)." +1. For the alert trends graph at the top of the page, you can click **{% octicon "shield" aria-hidden="true" %} Open alerts** or **{% octicon "shield-x" aria-hidden="true" %} Closed alerts** to toggle between showing the trends for open or closed alerts. The toggle will only affect the alert trends graph. For more information, see [Alert trends graph](#alert-trends-graph). {% endif %} diff --git a/data/reusables/security-overview/filter-secret-scanning-metrics.md b/data/reusables/security-overview/filter-secret-scanning-metrics.md index 813b810b707b..252f6585829f 100644 --- a/data/reusables/security-overview/filter-secret-scanning-metrics.md +++ b/data/reusables/security-overview/filter-secret-scanning-metrics.md @@ -1,3 +1,3 @@ 1. You can use the options at the top of the page to filter the group of repositories that you want to see {% data variables.product.prodname_secret_scanning %} metrics for. * Use the date picker to set the time range that you want to view metrics for. Note that the date used by the date picker corresponds to the date a secret was bypassed on. - * Click in the search box to add further filters on the {% data variables.product.prodname_secret_scanning %} metrics displayed. For more information, see "[AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview)." + * Click in the search box to add further filters on the {% data variables.product.prodname_secret_scanning %} metrics displayed. For more information, see [AUTOTITLE](/code-security/security-overview/filtering-alerts-in-security-overview). diff --git a/data/reusables/security-overview/information-varies-GHAS.md b/data/reusables/security-overview/information-varies-GHAS.md index b9d2d67fe56d..396077af616f 100644 --- a/data/reusables/security-overview/information-varies-GHAS.md +++ b/data/reusables/security-overview/information-varies-GHAS.md @@ -1 +1 @@ -The information shown by security overview varies according to your access to repositories and organizations, and according to whether {% data variables.product.prodname_GH_advanced_security %} is used by those repositories and organizations. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview#permission-to-view-data-in-security-overview)." +The information shown by security overview varies according to your access to repositories and organizations, and according to whether {% data variables.product.prodname_GH_advanced_security %} is used by those repositories and organizations. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview#permission-to-view-data-in-security-overview). diff --git a/data/reusables/security-overview/security-information-about-actions.md b/data/reusables/security-overview/security-information-about-actions.md index 63bb4f75ecf6..6ea22b02855a 100644 --- a/data/reusables/security-overview/security-information-about-actions.md +++ b/data/reusables/security-overview/security-information-about-actions.md @@ -1 +1 @@ -If you use {% data variables.product.prodname_actions %}, you can use {% data variables.product.prodname_dotcom %}'s security features to increase the security of your workflows. For more information, see "[AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions)." +If you use {% data variables.product.prodname_actions %}, you can use {% data variables.product.prodname_dotcom %}'s security features to increase the security of your workflows. For more information, see [AUTOTITLE](/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions). diff --git a/data/reusables/security-overview/settings-limitations.md b/data/reusables/security-overview/settings-limitations.md index 86ba27f1619a..d4a7f0c85f0a 100644 --- a/data/reusables/security-overview/settings-limitations.md +++ b/data/reusables/security-overview/settings-limitations.md @@ -2,7 +2,7 @@ > [!NOTE] > * Enabling {% data variables.product.prodname_code_scanning %} default setup _will not_ override any existing configurations of advanced setup for the selected repositories, but it _will_ override any existing configurations of default setup. -> * Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see "[Supported secrets](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)." +> * Enabling "Alerts" for {% data variables.product.prodname_secret_scanning %} enables {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} alerts. If you want to enable non-provider alerts, you need to edit the repository, organization, or enterprise settings. For more information about alert types, see [Supported secrets](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets). {% elsif bulk-code-scanning-query-suite and not fpt %} diff --git a/data/reusables/security/note-securing-your-org.md b/data/reusables/security/note-securing-your-org.md index 21652afeb7a7..0a476d84341a 100644 --- a/data/reusables/security/note-securing-your-org.md +++ b/data/reusables/security/note-securing-your-org.md @@ -1 +1 @@ -For more information about enabling security features across an organization, see {% ifversion security-configurations %}"[AUTOTITLE](/code-security/securing-your-organization)."{% else %}"[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization)."{% endif %} +For more information about enabling security features across an organization, see {% ifversion security-configurations %}[AUTOTITLE](/code-security/securing-your-organization).{% else %}[AUTOTITLE](/code-security/getting-started/quickstart-for-securing-your-organization).{% endif %} diff --git a/data/reusables/shortdesc/authenticating_github_app.md b/data/reusables/shortdesc/authenticating_github_app.md index cf4967a3c760..beec810d01f0 100644 --- a/data/reusables/shortdesc/authenticating_github_app.md +++ b/data/reusables/shortdesc/authenticating_github_app.md @@ -1 +1 @@ -For information on how to authenticate as a GitHub App, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)." +For information on how to authenticate as a GitHub App, see [AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app). diff --git a/data/reusables/sponsors/feedback.md b/data/reusables/sponsors/feedback.md index f361a00f6c94..861b6e4c7f3b 100644 --- a/data/reusables/sponsors/feedback.md +++ b/data/reusables/sponsors/feedback.md @@ -1 +1 @@ -You can share your feedback about {% data variables.product.prodname_sponsors %} with {% data variables.product.company_short %}. To join the conversation, see "[Sponsors Feedback](https://github.com/orgs/community/discussions/categories/sponsors)." +You can share your feedback about {% data variables.product.prodname_sponsors %} with {% data variables.product.company_short %}. To join the conversation, see [Sponsors Feedback](https://github.com/orgs/community/discussions/categories/sponsors). diff --git a/data/reusables/sponsors/legal-additional-terms.md b/data/reusables/sponsors/legal-additional-terms.md index 79e7153fcb35..85e5b3d8b8d9 100644 --- a/data/reusables/sponsors/legal-additional-terms.md +++ b/data/reusables/sponsors/legal-additional-terms.md @@ -1 +1 @@ -The {% data variables.product.prodname_matching_fund %} is a gift designed to encourage community funding of work on open source and is subject to additional terms and conditions. For detailed information about the {% data variables.product.prodname_matching_fund %}, see the "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-sponsors-additional-terms)." +The {% data variables.product.prodname_matching_fund %} is a gift designed to encourage community funding of work on open source and is subject to additional terms and conditions. For detailed information about the {% data variables.product.prodname_matching_fund %}, see the [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-sponsors-additional-terms). diff --git a/data/reusables/sponsors/manage-updates-for-orgs.md b/data/reusables/sponsors/manage-updates-for-orgs.md index 7628782c846e..913d0204651c 100644 --- a/data/reusables/sponsors/manage-updates-for-orgs.md +++ b/data/reusables/sponsors/manage-updates-for-orgs.md @@ -1 +1 @@ -You can designate which email address receives updates from the accounts your organization sponsors. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-updates-from-accounts-your-organization-sponsors)." +You can designate which email address receives updates from the accounts your organization sponsors. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/managing-updates-from-accounts-your-organization-sponsors). diff --git a/data/reusables/sponsors/no-fees.md b/data/reusables/sponsors/no-fees.md index b16728241a5c..a2879c57f224 100644 --- a/data/reusables/sponsors/no-fees.md +++ b/data/reusables/sponsors/no-fees.md @@ -3,4 +3,4 @@ * 3% credit card processing fee * 3% {% data variables.product.company_short %} service processing fee -Organizations can save the 3% credit card processing fee by switching to invoiced billing for sponsorships. For more information, see "[AUTOTITLE](/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice)." +Organizations can save the 3% credit card processing fee by switching to invoiced billing for sponsorships. For more information, see [AUTOTITLE](/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice). diff --git a/data/reusables/sponsors/payout-choice.md b/data/reusables/sponsors/payout-choice.md index de550db7de98..e6eebd1aa794 100644 --- a/data/reusables/sponsors/payout-choice.md +++ b/data/reusables/sponsors/payout-choice.md @@ -1,3 +1,3 @@ -1. Decide whether to receive sponsorship payouts via a bank account or through a fiscal host. For more information about setting up and using fiscal hosts, see "[AUTOTITLE](/sponsors/receiving-sponsorships-through-github-sponsors/using-a-fiscal-host-to-receive-github-sponsors-payouts)." +1. Decide whether to receive sponsorship payouts via a bank account or through a fiscal host. For more information about setting up and using fiscal hosts, see [AUTOTITLE](/sponsors/receiving-sponsorships-through-github-sponsors/using-a-fiscal-host-to-receive-github-sponsors-payouts). Note that you can only set up your fiscal host information at the time you sign up for {% data variables.product.prodname_sponsors %}. If you decide you want to switch to using a fiscal host after your profile has been set up, please contact us through the {% data variables.contact.contact_support_portal %}. diff --git a/data/reusables/sponsors/payout-info.md b/data/reusables/sponsors/payout-info.md index 581d2ef34fb7..0e20aaf11f49 100644 --- a/data/reusables/sponsors/payout-info.md +++ b/data/reusables/sponsors/payout-info.md @@ -1 +1 @@ -For information about timing for payments from {% data variables.product.prodname_sponsors %}, see "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-sponsors-additional-terms#43-payment-timing)." +For information about timing for payments from {% data variables.product.prodname_sponsors %}, see [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-sponsors-additional-terms#43-payment-timing). diff --git a/data/reusables/sponsors/sponsor-as-business.md b/data/reusables/sponsors/sponsor-as-business.md index efc9f841fb47..29a303c43bb7 100644 --- a/data/reusables/sponsors/sponsor-as-business.md +++ b/data/reusables/sponsors/sponsor-as-business.md @@ -1,4 +1,4 @@ -1. If you are sponsoring an account as a business, click **Yes**. Filling out the related fields will help your sponsored accounts calculate and pay taxes where appropriate. For more information, see "[Tax information for {% data variables.product.prodname_sponsors %}](/sponsors/receiving-sponsorships-through-github-sponsors/tax-information-for-github-sponsors#sales-tax)." +1. If you are sponsoring an account as a business, click **Yes**. Filling out the related fields will help your sponsored accounts calculate and pay taxes where appropriate. For more information, see [Tax information for {% data variables.product.prodname_sponsors %}](/sponsors/receiving-sponsorships-through-github-sponsors/tax-information-for-github-sponsors#sales-tax). * Select the "Country" dropdown menu, then click your business' country. * Next, select the "Region" dropdown menu and click your business' region within your country. * If applicable, click the "VAT number" text field, then type your value-added tax (VAT) identification number. diff --git a/data/reusables/sponsors/tier-details.md b/data/reusables/sponsors/tier-details.md index 6a0e5851c42d..39e6ffbf190e 100644 --- a/data/reusables/sponsors/tier-details.md +++ b/data/reusables/sponsors/tier-details.md @@ -6,7 +6,7 @@ You can customize the rewards for each tier. For example, rewards for a tier cou * Weekly newsletter updates * Other rewards your sponsors would enjoy ✨ -{% data reusables.sponsors.sponsors-only-repos %} For more information, see "[AUTOTITLE](/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers#adding-a-repository-to-a-sponsorship-tier)." +{% data reusables.sponsors.sponsors-only-repos %} For more information, see [AUTOTITLE](/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers#adding-a-repository-to-a-sponsorship-tier). You can include a welcome message with information about accessing or receiving rewards, which will be visible after payment and in the welcome email. diff --git a/data/reusables/ssh/add-public-key-to-github.md b/data/reusables/ssh/add-public-key-to-github.md index 644b59a7e049..1df775a08a95 100644 --- a/data/reusables/ssh/add-public-key-to-github.md +++ b/data/reusables/ssh/add-public-key-to-github.md @@ -1 +1 @@ -1. Add the SSH public key to your account on {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)." +1. Add the SSH public key to your account on {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account). diff --git a/data/reusables/ssh/apple-use-keychain.md b/data/reusables/ssh/apple-use-keychain.md index fa630a7aa688..0930c400005a 100644 --- a/data/reusables/ssh/apple-use-keychain.md +++ b/data/reusables/ssh/apple-use-keychain.md @@ -3,6 +3,6 @@ > > The `--apple-use-keychain` option is in Apple's standard version of `ssh-add`. In macOS versions prior to Monterey (12.0), the `--apple-use-keychain` and `--apple-load-keychain` flags used the syntax `-K` and `-A`, respectively. > -> If you don't have Apple's standard version of `ssh-add` installed, you may receive an error. For more information, see "[AUTOTITLE](/authentication/troubleshooting-ssh/error-ssh-add-illegal-option----apple-use-keychain)." +> If you don't have Apple's standard version of `ssh-add` installed, you may receive an error. For more information, see [AUTOTITLE](/authentication/troubleshooting-ssh/error-ssh-add-illegal-option----apple-use-keychain). > > If you continue to be prompted for your passphrase, you may need to add the command to your `~/.zshrc` file (or your `~/.bashrc` file for bash). diff --git a/data/reusables/support/ask-and-answer-forum.md b/data/reusables/support/ask-and-answer-forum.md index 923b039be77d..6058a4a7bc5f 100644 --- a/data/reusables/support/ask-and-answer-forum.md +++ b/data/reusables/support/ask-and-answer-forum.md @@ -1 +1 @@ -You can connect with developers around the world to ask and answer questions, learn, and interact directly with {% data variables.product.product_name %} staff. To get the conversation started, see "[{% data variables.product.prodname_gcf %}](https://github.com/orgs/community/discussions/)." +You can connect with developers around the world to ask and answer questions, learn, and interact directly with {% data variables.product.product_name %} staff. To get the conversation started, see [{% data variables.product.prodname_gcf %}](https://github.com/orgs/community/discussions/). diff --git a/data/reusables/support/enterprise-comment-on-support-tickets.md b/data/reusables/support/enterprise-comment-on-support-tickets.md index c07ac5110468..86bbab54ca52 100644 --- a/data/reusables/support/enterprise-comment-on-support-tickets.md +++ b/data/reusables/support/enterprise-comment-on-support-tickets.md @@ -3,4 +3,4 @@ To comment on a ticket associated with your enterprise account that was opened b * An email address associated with your {% data variables.product.prodname_dotcom %} account is copied on the ticket * Your enterprise on {% data variables.product.prodname_ghe_cloud %} has a verified domain and the person who opened the ticket selected their verified-domain email -For more information about verifying a domain, see "[AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise)" and "[AUTOTITLE](/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization)." +For more information about verifying a domain, see [AUTOTITLE](/enterprise-cloud@latest/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise) and [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization). diff --git a/data/reusables/support/entitlements-note.md b/data/reusables/support/entitlements-note.md index 0a29c64e1cbe..5e6fdcea118a 100644 --- a/data/reusables/support/entitlements-note.md +++ b/data/reusables/support/entitlements-note.md @@ -1,2 +1,2 @@ > [!NOTE] -> You must have an enterprise support entitlement to view tickets associated with an organization or enterprise account. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise)." +> You must have an enterprise support entitlement to view tickets associated with an organization or enterprise account. For more information, see [AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise). diff --git a/data/reusables/support/submit-a-ticket.md b/data/reusables/support/submit-a-ticket.md index d57348a1f966..cd3ef282be0c 100644 --- a/data/reusables/support/submit-a-ticket.md +++ b/data/reusables/support/submit-a-ticket.md @@ -9,8 +9,8 @@ 1. Select the **Select personal account, enterprise account or organization** dropdown menu and click the name of the account your support ticket is regarding. > [!NOTE] - > * For Premium, Premium Plus, or Engineering Direct support, you need to choose an enterprise account with a {% data variables.contact.premium_support %} plan. If you don't see an Enterprises section in the dropdown menu, you're not entitled to open support tickets on behalf of an enterprise account. For more information, see "[AUTOTITLE](/support/learning-about-github-support/about-github-support#about-support-entitlement)" - > * To see a list of your enterprise accounts with a {% data variables.contact.premium_support %} plan, you must be signed into the {% data variables.contact.enterprise_portal %}. For more information, see "[AUTOTITLE](/support/contacting-github-support/getting-your-enterprise-started-with-the-github-support-portal)." + > * For Premium, Premium Plus, or Engineering Direct support, you need to choose an enterprise account with a {% data variables.contact.premium_support %} plan. If you don't see an Enterprises section in the dropdown menu, you're not entitled to open support tickets on behalf of an enterprise account. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support#about-support-entitlement) + > * To see a list of your enterprise accounts with a {% data variables.contact.premium_support %} plan, you must be signed into the {% data variables.contact.enterprise_portal %}. For more information, see [AUTOTITLE](/support/contacting-github-support/getting-your-enterprise-started-with-the-github-support-portal). {% endif %} 1. Select the **From** dropdown menu and click the email address you'd like {% data variables.contact.github_support %} to contact. @@ -59,10 +59,10 @@ * Any special circumstances surrounding the discovery of the issue (for example, the first occurrence or occurrence after a specific event, frequency of occurrence, business impact of the problem, and suggested urgency) * Exact wording of error messages - You can attach files up to 50MB.{% ifversion ghes %} For larger attachments, such as support bundles, see "[AUTOTITLE](/support/contacting-github-support/providing-data-to-github-support#creating-and-sharing-support-bundles)."{% endif %} + You can attach files up to 50MB.{% ifversion ghes %} For larger attachments, such as support bundles, see [AUTOTITLE](/support/contacting-github-support/providing-data-to-github-support#creating-and-sharing-support-bundles).{% endif %} > [!WARNING] - > When you upload an image or video to a pull request or issue comment, or upload a file to a ticket in the {% data variables.contact.landing_page_portal %}, anyone can view the anonymized URL without authentication, even if the pull request or issue is in a private repository{% ifversion ghes %}, or if private mode is enabled{% endif %}. To keep sensitive media files private, serve them from a private network or server that requires authentication. {% ifversion fpt or ghec %}For more information on anonymized URLs see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/about-anonymized-urls)."{% endif %} + > When you upload an image or video to a pull request or issue comment, or upload a file to a ticket in the {% data variables.contact.landing_page_portal %}, anyone can view the anonymized URL without authentication, even if the pull request or issue is in a private repository{% ifversion ghes %}, or if private mode is enabled{% endif %}. To keep sensitive media files private, serve them from a private network or server that requires authentication. {% ifversion fpt or ghec %}For more information on anonymized URLs see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/about-anonymized-urls).{% endif %} {%- ifversion ghes %} 1. Optionally, attach diagnostics files and other files by dragging and dropping, uploading, or pasting from the clipboard. diff --git a/data/reusables/support/support-ticket-translation-option.md b/data/reusables/support/support-ticket-translation-option.md index 1ef9cf75c9ec..4c25dfa9ceb6 100644 --- a/data/reusables/support/support-ticket-translation-option.md +++ b/data/reusables/support/support-ticket-translation-option.md @@ -1 +1 @@ -You can translate English comments on a ticket into Chinese (Simplified), French, German, Japanese, Portuguese (Brazil), or Spanish. However, when responding to tickets, you should use English, unless your {% data variables.product.prodname_dotcom %} plan permits you to respond in Japanese. For more information, see "[AUTOTITLE](/support/contacting-github-support/viewing-and-updating-support-tickets)." +You can translate English comments on a ticket into Chinese (Simplified), French, German, Japanese, Portuguese (Brazil), or Spanish. However, when responding to tickets, you should use English, unless your {% data variables.product.prodname_dotcom %} plan permits you to respond in Japanese. For more information, see [AUTOTITLE](/support/contacting-github-support/viewing-and-updating-support-tickets). diff --git a/data/reusables/two_fa/after-2fa-add-security-key.md b/data/reusables/two_fa/after-2fa-add-security-key.md index fabb671a9d2c..f2b19abf7f82 100644 --- a/data/reusables/two_fa/after-2fa-add-security-key.md +++ b/data/reusables/two_fa/after-2fa-add-security-key.md @@ -1 +1 @@ -After you configure 2FA, using a time-based one-time password (TOTP) mobile app{% ifversion fpt or ghec %}, or via text message{% endif %}, you can add a security key, like a FIDO2 hardware security key, Apple Touch ID or Windows Hello. The technology that enables authentication with a security key is called WebAuthn. WebAuthn is the successor to U2F and works in all modern browsers. For more information, see "[WebAuthn](https://webauthn.guide/)" and "[Can I Use](https://caniuse.com/#search=webauthn)." +After you configure 2FA, using a time-based one-time password (TOTP) mobile app{% ifversion fpt or ghec %}, or via text message{% endif %}, you can add a security key, like a FIDO2 hardware security key, Apple Touch ID or Windows Hello. The technology that enables authentication with a security key is called WebAuthn. WebAuthn is the successor to U2F and works in all modern browsers. For more information, see [WebAuthn](https://webauthn.guide/) and [Can I Use](https://caniuse.com/#search=webauthn). diff --git a/data/reusables/two_fa/backup_options_during_2fa_enrollment.md b/data/reusables/two_fa/backup_options_during_2fa_enrollment.md index 4f859c5b0e5c..9a5de682aea2 100644 --- a/data/reusables/two_fa/backup_options_during_2fa_enrollment.md +++ b/data/reusables/two_fa/backup_options_during_2fa_enrollment.md @@ -1 +1 @@ -1. Optionally, you can configure additional 2FA methods to reduce your risk of account lockout. For more details on how to configure each additional method, see "[Configuring two-factor authentication using a security key](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key)"{% ifversion fpt or ghec %} and "[Configuring two-factor authentication using {% data variables.product.prodname_mobile %}](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-github-mobile)."{% endif %} +1. Optionally, you can configure additional 2FA methods to reduce your risk of account lockout. For more details on how to configure each additional method, see [Configuring two-factor authentication using a security key](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key){% ifversion fpt or ghec %} and [Configuring two-factor authentication using {% data variables.product.prodname_mobile %}](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-github-mobile).{% endif %} diff --git a/data/reusables/two_fa/ghes_ntp.md b/data/reusables/two_fa/ghes_ntp.md index 0ff685c247f7..4ae17c1109a1 100644 --- a/data/reusables/two_fa/ghes_ntp.md +++ b/data/reusables/two_fa/ghes_ntp.md @@ -1 +1 @@ -{% ifversion ghes %}The verification of two-factor authentication codes requires an accurate time on both the client's device and server. Site administrators should ensure time synchronization is configured and accurate. For more information, see "[AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-time-synchronization)."{% endif %} +{% ifversion ghes %}The verification of two-factor authentication codes requires an accurate time on both the client's device and server. Site administrators should ensure time synchronization is configured and accurate. For more information, see [AUTOTITLE](/admin/configuration/configuring-network-settings/configuring-time-synchronization).{% endif %} diff --git a/data/reusables/two_fa/sms-warning.md b/data/reusables/two_fa/sms-warning.md index a1f9ae80048a..ce00d5d52583 100644 --- a/data/reusables/two_fa/sms-warning.md +++ b/data/reusables/two_fa/sms-warning.md @@ -1,4 +1,4 @@ Before using this method, be sure that you can receive text messages. Carrier rates may apply. > [!WARNING] -> We **strongly recommend** using a TOTP application for two-factor authentication instead of SMS, and security keys as backup methods instead of SMS. {% data variables.product.product_name %} doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where {% data variables.product.product_name %} supports authentication via SMS. For more information, see "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported)." +> We **strongly recommend** using a TOTP application for two-factor authentication instead of SMS, and security keys as backup methods instead of SMS. {% data variables.product.product_name %} doesn't support sending SMS messages to phones in every country. Before configuring authentication via text message, review the list of countries where {% data variables.product.product_name %} supports authentication via SMS. For more information, see [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported). diff --git a/data/reusables/two_fa/unlink-email-address.md b/data/reusables/two_fa/unlink-email-address.md index b09f2e507357..13c528b6b657 100644 --- a/data/reusables/two_fa/unlink-email-address.md +++ b/data/reusables/two_fa/unlink-email-address.md @@ -1 +1 @@ -If you cannot use any recovery methods, you have permanently lost access to your account. However, you can unlink an email address tied to the locked account. The unlinked email address can then be linked to a new or existing account. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/unlinking-your-email-address-from-a-locked-account)." +If you cannot use any recovery methods, you have permanently lost access to your account. However, you can unlink an email address tied to the locked account. The unlinked email address can then be linked to a new or existing account. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/unlinking-your-email-address-from-a-locked-account). diff --git a/data/reusables/user-settings/about-commit-email-addresses.md b/data/reusables/user-settings/about-commit-email-addresses.md index 956a7e316a92..d1e02d844052 100644 --- a/data/reusables/user-settings/about-commit-email-addresses.md +++ b/data/reusables/user-settings/about-commit-email-addresses.md @@ -1 +1 @@ -For more information on commit email addresses,{% ifversion fpt or ghec %} including your `noreply` email address for {% data variables.product.product_name %},{% endif %} see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address)." +For more information on commit email addresses,{% ifversion fpt or ghec %} including your `noreply` email address for {% data variables.product.product_name %},{% endif %} see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address). diff --git a/data/reusables/user-settings/context_switcher.md b/data/reusables/user-settings/context_switcher.md index cb722803a32b..e1daeffab4c2 100644 --- a/data/reusables/user-settings/context_switcher.md +++ b/data/reusables/user-settings/context_switcher.md @@ -1 +1 @@ -You must manage billing settings and paid features for each of your accounts separately. You can switch between settings for your personal account, organization accounts, and enterprise accounts using the context switcher on each settings page. See "[AUTOTITLE](/billing/using-the-billing-platform/about-billing-on-github#switching-between-settings-for-your-different-accounts)." +You must manage billing settings and paid features for each of your accounts separately. You can switch between settings for your personal account, organization accounts, and enterprise accounts using the context switcher on each settings page. See [AUTOTITLE](/billing/using-the-billing-platform/about-billing-on-github#switching-between-settings-for-your-different-accounts). diff --git a/data/reusables/user-settings/enabling-fixed-width-fonts.md b/data/reusables/user-settings/enabling-fixed-width-fonts.md index 8a641f49d461..bcd0555fc663 100644 --- a/data/reusables/user-settings/enabling-fixed-width-fonts.md +++ b/data/reusables/user-settings/enabling-fixed-width-fonts.md @@ -1,5 +1,5 @@ {% ifversion fixed-width-font-gfm-fields %} -If you are frequently editing code snippets and tables, you may benefit from enabling a fixed-width font in all comment fields on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/about-writing-and-formatting-on-github#enabling-fixed-width-fonts-in-the-editor)." +If you are frequently editing code snippets and tables, you may benefit from enabling a fixed-width font in all comment fields on {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/about-writing-and-formatting-on-github#enabling-fixed-width-fonts-in-the-editor). {% endif %} diff --git a/data/reusables/user-settings/link_email_with_your_account.md b/data/reusables/user-settings/link_email_with_your_account.md index 491fdb03bc51..cf3ee0d5cb02 100644 --- a/data/reusables/user-settings/link_email_with_your_account.md +++ b/data/reusables/user-settings/link_email_with_your_account.md @@ -1 +1 @@ -Add the email address to your account on {% data variables.product.product_name %}, so that your commits are attributed to you and appear in your contributions graph. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account)." +Add the email address to your account on {% data variables.product.product_name %}, so that your commits are attributed to you and appear in your contributions graph. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account). diff --git a/data/reusables/user-settings/no-verification-disposable-emails.md b/data/reusables/user-settings/no-verification-disposable-emails.md index 687a0bef6ab3..584cf640713a 100644 --- a/data/reusables/user-settings/no-verification-disposable-emails.md +++ b/data/reusables/user-settings/no-verification-disposable-emails.md @@ -1 +1 @@ -You cannot verify email addresses from disposable email address services (services that allow you to receive email at a temporary address that expires after a certain time). If you'd like to keep your email address private, you can use a {% data variables.product.prodname_dotcom %}-provided `noreply` email address. For more information, see "[AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-on-github)." +You cannot verify email addresses from disposable email address services (services that allow you to receive email at a temporary address that expires after a certain time). If you'd like to keep your email address private, you can use a {% data variables.product.prodname_dotcom %}-provided `noreply` email address. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-on-github). diff --git a/data/reusables/user-settings/password-authentication-deprecation.md b/data/reusables/user-settings/password-authentication-deprecation.md index 0f57fc8b51d0..055b57f67113 100644 --- a/data/reusables/user-settings/password-authentication-deprecation.md +++ b/data/reusables/user-settings/password-authentication-deprecation.md @@ -1 +1 @@ -When Git prompts you for your password, enter your {% data variables.product.pat_generic %}. Alternatively, you can use a credential helper like [Git Credential Manager](https://github.com/GitCredentialManager/git-credential-manager/blob/main/README.md). Password-based authentication for Git has been removed in favor of more secure authentication methods. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)." +When Git prompts you for your password, enter your {% data variables.product.pat_generic %}. Alternatively, you can use a credential helper like [Git Credential Manager](https://github.com/GitCredentialManager/git-credential-manager/blob/main/README.md). Password-based authentication for Git has been removed in favor of more secure authentication methods. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). diff --git a/data/reusables/user-settings/patv2-limitations.md b/data/reusables/user-settings/patv2-limitations.md index e64a0e6bc9b7..bb2532b82fb2 100644 --- a/data/reusables/user-settings/patv2-limitations.md +++ b/data/reusables/user-settings/patv2-limitations.md @@ -4,4 +4,4 @@ * Only {% data variables.product.pat_v1_plural %} automatically have write access for internal repositories that are owned by your enterprise. {% data variables.product.pat_v2_caps %}s must be granted access to internal repositories.{% endif %} * Outside collaborators can only use {% data variables.product.pat_v1_plural %} to access organization repositories that they are a collaborator on.{% ifversion ghec or ghes %} * Only {% data variables.product.pat_v1_plural %} can access enterprises. ({% data variables.product.pat_v2_caps %} can access organizations owned by enterprises.){% endif %} -* A few REST API endpoints are only available with a {% data variables.product.pat_v1_plural %}. To check whether an endpoint also supports {% data variables.product.pat_v2 %}s, see the documentation for that endpoint, or see "[AUTOTITLE](/rest/overview/endpoints-available-for-fine-grained-personal-access-tokens)." +* A few REST API endpoints are only available with a {% data variables.product.pat_v1_plural %}. To check whether an endpoint also supports {% data variables.product.pat_v2 %}s, see the documentation for that endpoint, or see [AUTOTITLE](/rest/overview/endpoints-available-for-fine-grained-personal-access-tokens). diff --git a/data/reusables/user-settings/review_oauth_tokens_tip.md b/data/reusables/user-settings/review_oauth_tokens_tip.md index c4ae4e507cbc..60c11ce92074 100644 --- a/data/reusables/user-settings/review_oauth_tokens_tip.md +++ b/data/reusables/user-settings/review_oauth_tokens_tip.md @@ -1 +1 @@ -We recommend that you regularly review your authorized integrations. Remove any applications and tokens that haven't been used in a while. For more information, see "[AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-applications-oauth)." +We recommend that you regularly review your authorized integrations. Remove any applications and tokens that haven't been used in a while. For more information, see [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-applications-oauth). diff --git a/data/reusables/user-settings/sudo-mode-popup.md b/data/reusables/user-settings/sudo-mode-popup.md index b36b47448ce5..da6beaba005d 100644 --- a/data/reusables/user-settings/sudo-mode-popup.md +++ b/data/reusables/user-settings/sudo-mode-popup.md @@ -1 +1 @@ -1. If prompted, confirm access to your account on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/sudo-mode)." +1. If prompted, confirm access to your account on {% data variables.product.product_name %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/sudo-mode). diff --git a/data/reusables/user-settings/verify-org-approved-email-domain.md b/data/reusables/user-settings/verify-org-approved-email-domain.md index fa4bac197760..1dd11924d4d0 100644 --- a/data/reusables/user-settings/verify-org-approved-email-domain.md +++ b/data/reusables/user-settings/verify-org-approved-email-domain.md @@ -1 +1 @@ -If an organization you're a member of restricts email notifications to an approved email domain, you'll need to verify an email address in that domain to receive email notifications about activity in the organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization)." +If an organization you're a member of restricts email notifications to an approved email domain, you'll need to verify an email address in that domain to receive email notifications about activity in the organization. For more information, see [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization). diff --git a/data/reusables/webhooks/commit_comment_short_desc.md b/data/reusables/webhooks/commit_comment_short_desc.md index 934d56572da2..7b73f7be3328 100644 --- a/data/reusables/webhooks/commit_comment_short_desc.md +++ b/data/reusables/webhooks/commit_comment_short_desc.md @@ -1 +1 @@ -A commit comment is created. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/commits/comments)." +A commit comment is created. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/commits/comments). diff --git a/data/reusables/webhooks/content_type_and_secret.md b/data/reusables/webhooks/content_type_and_secret.md index 44d3004ec437..8874fa023778 100644 --- a/data/reusables/webhooks/content_type_and_secret.md +++ b/data/reusables/webhooks/content_type_and_secret.md @@ -1,4 +1,4 @@ 1. Optionally, select the **Content type** drop-down menu, and click a data format to receive the webhook payload in. * **application/json** will deliver the JSON payload directly as the body of the `POST` request. * **application/x-www-form-urlencoded** will send the JSON payload as a form parameter called `payload`. -1. Optionally, under "Secret", type a string to use as a `secret` key. You should choose a random string of text with high entropy. You can use the webhook secret to limit incoming requests to only those originating from {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/webhooks/using-webhooks/securing-your-webhooks)." +1. Optionally, under "Secret", type a string to use as a `secret` key. You should choose a random string of text with high entropy. You can use the webhook secret to limit incoming requests to only those originating from {% data variables.product.prodname_dotcom %}. For more information, see [AUTOTITLE](/webhooks/using-webhooks/securing-your-webhooks). diff --git a/data/reusables/webhooks/create_short_desc.md b/data/reusables/webhooks/create_short_desc.md index 2ad4e5009e44..9d0ff086250a 100644 --- a/data/reusables/webhooks/create_short_desc.md +++ b/data/reusables/webhooks/create_short_desc.md @@ -1 +1 @@ -A Git branch or tag is created. For more information, see "[AUTOTITLE](/rest/git#create-a-reference)." +A Git branch or tag is created. For more information, see [AUTOTITLE](/rest/git#create-a-reference). diff --git a/data/reusables/webhooks/delete_short_desc.md b/data/reusables/webhooks/delete_short_desc.md index c3e310817930..87db31da3c6d 100644 --- a/data/reusables/webhooks/delete_short_desc.md +++ b/data/reusables/webhooks/delete_short_desc.md @@ -1 +1 @@ -A Git branch or tag is deleted. For more information, see the "[AUTOTITLE](/rest/git#delete-a-reference)" REST API. +A Git branch or tag is deleted. For more information, see the [AUTOTITLE](/rest/git#delete-a-reference) REST API. diff --git a/data/reusables/webhooks/fork_short_desc.md b/data/reusables/webhooks/fork_short_desc.md index bf72500c2b3d..fb7cfe4209ca 100644 --- a/data/reusables/webhooks/fork_short_desc.md +++ b/data/reusables/webhooks/fork_short_desc.md @@ -1 +1 @@ -A user forks a repository. For more information, see "[AUTOTITLE](/rest/repos#forks)." +A user forks a repository. For more information, see [AUTOTITLE](/rest/repos#forks). diff --git a/data/reusables/webhooks/gollum_short_desc.md b/data/reusables/webhooks/gollum_short_desc.md index de44fc9c3d43..96d59511ff9d 100644 --- a/data/reusables/webhooks/gollum_short_desc.md +++ b/data/reusables/webhooks/gollum_short_desc.md @@ -1 +1 @@ -A wiki page is created or updated. For more information, see "[AUTOTITLE](/communities/documenting-your-project-with-wikis/about-wikis)." +A wiki page is created or updated. For more information, see [AUTOTITLE](/communities/documenting-your-project-with-wikis/about-wikis). diff --git a/data/reusables/webhooks/issue_comment_short_desc.md b/data/reusables/webhooks/issue_comment_short_desc.md index 6fac504acd13..5aaca54014a1 100644 --- a/data/reusables/webhooks/issue_comment_short_desc.md +++ b/data/reusables/webhooks/issue_comment_short_desc.md @@ -1 +1 @@ -Activity related to an issue or pull request comment. {% data reusables.webhooks.action_type_desc %} For more information, see the "[AUTOTITLE](/rest/issues#comments)." +Activity related to an issue or pull request comment. {% data reusables.webhooks.action_type_desc %} For more information, see the [AUTOTITLE](/rest/issues#comments). diff --git a/data/reusables/webhooks/issues_short_desc.md b/data/reusables/webhooks/issues_short_desc.md index 05950ca16854..dc8c03ee7b72 100644 --- a/data/reusables/webhooks/issues_short_desc.md +++ b/data/reusables/webhooks/issues_short_desc.md @@ -1 +1 @@ -Activity related to an issue. {% data reusables.webhooks.action_type_desc %} For more information, see the "[AUTOTITLE](/rest/issues)." +Activity related to an issue. {% data reusables.webhooks.action_type_desc %} For more information, see the [AUTOTITLE](/rest/issues). diff --git a/data/reusables/webhooks/member_short_desc.md b/data/reusables/webhooks/member_short_desc.md index 8ab0fa01981f..142b64763459 100644 --- a/data/reusables/webhooks/member_short_desc.md +++ b/data/reusables/webhooks/member_short_desc.md @@ -1 +1 @@ -Activity related to repository collaborators. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/collaborators/collaborators)." +Activity related to repository collaborators. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/collaborators/collaborators). diff --git a/data/reusables/webhooks/pull_request_review_comment_short_desc.md b/data/reusables/webhooks/pull_request_review_comment_short_desc.md index 9dcaf2c993bd..1f4e6d3a1926 100644 --- a/data/reusables/webhooks/pull_request_review_comment_short_desc.md +++ b/data/reusables/webhooks/pull_request_review_comment_short_desc.md @@ -1 +1 @@ -Activity related to pull request review comments in the pull request's unified diff. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/pulls#comments)." +Activity related to pull request review comments in the pull request's unified diff. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/pulls#comments). diff --git a/data/reusables/webhooks/pull_request_review_short_desc.md b/data/reusables/webhooks/pull_request_review_short_desc.md index c2047a187a31..e814e93e851e 100644 --- a/data/reusables/webhooks/pull_request_review_short_desc.md +++ b/data/reusables/webhooks/pull_request_review_short_desc.md @@ -1 +1 @@ -Activity related to pull request reviews. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/pulls#reviews)." +Activity related to pull request reviews. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/pulls#reviews). diff --git a/data/reusables/webhooks/pull_request_short_desc.md b/data/reusables/webhooks/pull_request_short_desc.md index c3c12fc45860..bb9dda0e4997 100644 --- a/data/reusables/webhooks/pull_request_short_desc.md +++ b/data/reusables/webhooks/pull_request_short_desc.md @@ -1 +1 @@ -Activity related to pull requests. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/pulls)." +Activity related to pull requests. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/pulls). diff --git a/data/reusables/webhooks/release_short_desc.md b/data/reusables/webhooks/release_short_desc.md index 60502ba9019c..e3f8945738e0 100644 --- a/data/reusables/webhooks/release_short_desc.md +++ b/data/reusables/webhooks/release_short_desc.md @@ -1 +1 @@ -Activity related to a release. {% data reusables.webhooks.action_type_desc %} For more information, see the "[AUTOTITLE](/rest/releases)" REST API. +Activity related to a release. {% data reusables.webhooks.action_type_desc %} For more information, see the [AUTOTITLE](/rest/releases) REST API. diff --git a/data/reusables/webhooks/secret.md b/data/reusables/webhooks/secret.md index f581dfb01f89..6edd53e6f5bb 100644 --- a/data/reusables/webhooks/secret.md +++ b/data/reusables/webhooks/secret.md @@ -1 +1 @@ -Setting a webhook secret allows you to ensure that `POST` requests sent to the payload URL are from {% data variables.product.product_name %}. When you set a secret, you'll receive the `X-Hub-Signature` and `X-Hub-Signature-256` headers in the webhook `POST` request. For more information on how to use a secret with a signature header to secure your webhook payloads, see "[AUTOTITLE](/webhooks-and-events/webhooks/securing-your-webhooks)." +Setting a webhook secret allows you to ensure that `POST` requests sent to the payload URL are from {% data variables.product.product_name %}. When you set a secret, you'll receive the `X-Hub-Signature` and `X-Hub-Signature-256` headers in the webhook `POST` request. For more information on how to use a secret with a signature header to secure your webhook payloads, see [AUTOTITLE](/webhooks-and-events/webhooks/securing-your-webhooks). diff --git a/data/reusables/webhooks/signature-troubleshooting.md b/data/reusables/webhooks/signature-troubleshooting.md index 6cc4dbbbd745..259300181fed 100644 --- a/data/reusables/webhooks/signature-troubleshooting.md +++ b/data/reusables/webhooks/signature-troubleshooting.md @@ -1,8 +1,8 @@ If you are sure that the payload is from {% data variables.product.company_short %} but the signature verification fails: -* Make sure that you have configured a secret for your webhook. The `X-Hub-Signature-256` header will not be present if you have not configured a secret for your webhook. For more information about configuring a secret for your webhook, see "[AUTOTITLE](/webhooks/using-webhooks/editing-webhooks)." +* Make sure that you have configured a secret for your webhook. The `X-Hub-Signature-256` header will not be present if you have not configured a secret for your webhook. For more information about configuring a secret for your webhook, see [AUTOTITLE](/webhooks/using-webhooks/editing-webhooks). * Make sure you are using the correct header. {% data variables.product.company_short %} recommends that you use the `X-Hub-Signature-256` header, which uses the HMAC-SHA256 algorithm. The `X-Hub-Signature` header uses the HMAC-SHA1 algorithm and is only included for legacy purposes. * Make sure that you are using the correct algorithm. If you are using the `X-Hub-Signature-256` header, you should use the HMAC-SHA256 algorithm. -* Make sure you are using the correct webhook secret. If you don't know the value of your webhook secret, you can update your webhook's secret. For more information, see "[AUTOTITLE](/webhooks/using-webhooks/editing-webhooks)." +* Make sure you are using the correct webhook secret. If you don't know the value of your webhook secret, you can update your webhook's secret. For more information, see [AUTOTITLE](/webhooks/using-webhooks/editing-webhooks). * Make sure that the payload and headers are not modified before verification. For example, if you use a proxy or load balancer, make sure that the proxy or load balancer does not modify the payload or headers. * If your language and server implementation specifies a character encoding, ensure that you handle the payload as UTF-8. Webhook payloads can contain unicode characters. diff --git a/data/reusables/webhooks/sponsorship_short_desc.md b/data/reusables/webhooks/sponsorship_short_desc.md index f23c71e98b76..d8c74695df85 100644 --- a/data/reusables/webhooks/sponsorship_short_desc.md +++ b/data/reusables/webhooks/sponsorship_short_desc.md @@ -1 +1 @@ -Activity related to a sponsorship listing. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/sponsors/getting-started-with-github-sponsors/about-github-sponsors)". +Activity related to a sponsorship listing. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/sponsors/getting-started-with-github-sponsors/about-github-sponsors). diff --git a/data/reusables/webhooks/watch_short_desc.md b/data/reusables/webhooks/watch_short_desc.md index 19cb6e0bed21..c833bc57eb0c 100644 --- a/data/reusables/webhooks/watch_short_desc.md +++ b/data/reusables/webhooks/watch_short_desc.md @@ -1 +1 @@ -When someone stars a repository. {% data reusables.webhooks.action_type_desc %} For more information, see "[AUTOTITLE](/rest/activity#starring)." +When someone stars a repository. {% data reusables.webhooks.action_type_desc %} For more information, see [AUTOTITLE](/rest/activity#starring). diff --git a/data/reusables/webhooks/webhooks-as-audit-log-alternative.md b/data/reusables/webhooks/webhooks-as-audit-log-alternative.md index 83e1754e71d5..b86179721518 100644 --- a/data/reusables/webhooks/webhooks-as-audit-log-alternative.md +++ b/data/reusables/webhooks/webhooks-as-audit-log-alternative.md @@ -1 +1 @@ -Webhooks might be a good alternative to the audit log or API polling for certain use cases. Webhooks are a way for {% data variables.product.company_short %} to notify your server when specific events occur for a repository, organization, or enterprise. Compared to the API or searching the audit log, webhooks can be more efficient if you just want to learn and possibly log when certain events occur on your enterprise, organization, or repository. See "[AUTOTITLE](/webhooks)." +Webhooks might be a good alternative to the audit log or API polling for certain use cases. Webhooks are a way for {% data variables.product.company_short %} to notify your server when specific events occur for a repository, organization, or enterprise. Compared to the API or searching the audit log, webhooks can be more efficient if you just want to learn and possibly log when certain events occur on your enterprise, organization, or repository. See [AUTOTITLE](/webhooks).