Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-03-20 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

GHAS Pack - Agent Skills for GitHub Advanced Security - Includes Dependabot, CodeQL, and Secret Scanning (#1049)

Browse Source 
* feat: add dependabot skill

* feat: add codeql skill

* feat: add secret-scanning skill

* feat: run start and update docs

* fix: replace deprecated @dependabot merge example with native auto-merge guidance

The usage example still showed @dependabot merge despite the Jan 2026
deprecation. Replaced with gh pr merge --auto and GitHub UI auto-merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Ve Sharma
2026-03-17 17:15:29 -07:00
committed by GitHub
parent 5418673f24
commit f601edcc87
16 changed files with 4154 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

422
skills/dependabot/SKILL.md Normal file
View File

@@ -0,0 +1,422 @@
---
name: dependabot
description: >-
Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when
users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests,
configuring dependency update strategies, setting up grouped updates, monorepo patterns,
multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub
Advanced Security (GHAS) supply chain security topic related to Dependabot.
---
# Dependabot Configuration & Management
## Overview
Dependabot is GitHub's built-in dependency management tool with three core capabilities:
1. **Dependabot Alerts** — Notify when dependencies have known vulnerabilities (CVEs)
2. **Dependabot Security Updates** — Auto-create PRs to fix vulnerable dependencies
3. **Dependabot Version Updates** — Auto-create PRs to keep dependencies current
All configuration lives in a **single file**: `.github/dependabot.yml` on the default branch. GitHub does **not** support multiple `dependabot.yml` files per repository.
## Configuration Workflow
Follow this process when creating or optimizing a `dependabot.yml`:
### Step 1: Detect All Ecosystems
Scan the repository for dependency manifests. Look for:
| Ecosystem | YAML Value | Manifest Files |
|---|---|---|
| npm/pnpm/yarn | `npm` | `package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` |
| pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py` |
| Docker | `docker` | `Dockerfile` |
| Docker Compose | `docker-compose` | `docker-compose.yml` |
| GitHub Actions | `github-actions` | `.github/workflows/*.yml` |
| Go modules | `gomod` | `go.mod` |
| Bundler (Ruby) | `bundler` | `Gemfile` |
| Cargo (Rust) | `cargo` | `Cargo.toml` |
| Composer (PHP) | `composer` | `composer.json` |
| NuGet (.NET) | `nuget` | `*.csproj`, `packages.config` |
| .NET SDK | `dotnet-sdk` | `global.json` |
| Maven (Java) | `maven` | `pom.xml` |
| Gradle (Java) | `gradle` | `build.gradle` |
| Terraform | `terraform` | `*.tf` |
| OpenTofu | `opentofu` | `*.tf` |
| Helm | `helm` | `Chart.yaml` |
| Hex (Elixir) | `mix` | `mix.exs` |
| Swift | `swift` | `Package.swift` |
| Pub (Dart) | `pub` | `pubspec.yaml` |
| Bun | `bun` | `bun.lockb` |
| Dev Containers | `devcontainers` | `devcontainer.json` |
| Git Submodules | `gitsubmodule` | `.gitmodules` |
| Pre-commit | `pre-commit` | `.pre-commit-config.yaml` |
Note: pnpm and yarn both use the `npm` ecosystem value.
### Step 2: Map Directory Locations
For each ecosystem, identify where manifests live. Use `directories` (plural) with glob patterns for monorepos:
```yaml
directories:
- "/" # root
- "/apps/*" # all app subdirs
- "/packages/*" # all package subdirs
- "/lib-*" # dirs starting with lib-
- "**/*" # recursive (all subdirs)
```
Important: `directory` (singular) does NOT support globs. Use `directories` (plural) for wildcards.
### Step 3: Configure Each Ecosystem Entry
Every entry needs at minimum:
```yaml
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
```
### Step 4: Optimize with Grouping, Labels, and Scheduling
See sections below for each optimization technique.
## Monorepo Strategies
### Glob Patterns for Workspace Coverage
For monorepos with many packages, use glob patterns to avoid listing each directory:
```yaml
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
schedule:
interval: "weekly"
```
### Cross-Directory Grouping
Use `group-by: dependency-name` to create a single PR when the same dependency updates across multiple directories:
```yaml
groups:
monorepo-deps:
group-by: dependency-name
```
This creates one PR per dependency across all specified directories, reducing CI costs and review burden.
Limitations:
- All directories must use the same package ecosystem
- Applies to version updates only
- Incompatible version constraints create separate PRs
### Standalone Packages Outside Workspaces
If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in `.github/`), create a separate ecosystem entry for it.
## Dependency Grouping
Reduce PR noise by grouping related dependencies into single PRs.
### By Dependency Type
```yaml
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
```
### By Name Pattern
```yaml
groups:
angular:
patterns: ["@angular*"]
update-types: ["minor", "patch"]
testing:
patterns: ["jest*", "@testing-library*", "ts-jest"]
```
### For Security Updates
```yaml
groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
```
Key behaviors:
- Dependencies matching multiple groups go to the **first** match
- `applies-to` defaults to `version-updates` when absent
- Ungrouped dependencies get individual PRs
## Multi-Ecosystem Groups
Combine updates across different package ecosystems into a single PR:
```yaml
version: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
updates:
- package-ecosystem: "docker"
directory: "/"
patterns: ["nginx", "redis"]
multi-ecosystem-group: "infrastructure"
- package-ecosystem: "terraform"
directory: "/"
patterns: ["aws*"]
multi-ecosystem-group: "infrastructure"
```
The `patterns` key is required when using `multi-ecosystem-group`.
## PR Customization
### Labels
```yaml
labels:
- "dependencies"
- "npm"
```
Set `labels: []` to disable all labels including defaults. SemVer labels (`major`, `minor`, `patch`) are always applied if present in the repo.
### Commit Messages
```yaml
commit-message:
prefix: "deps"
prefix-development: "deps-dev"
include: "scope" # adds deps/deps-dev scope after prefix
```
### Assignees and Milestones
```yaml
assignees: ["security-team-lead"]
milestone: 4 # numeric ID from milestone URL
```
### Branch Name Separator
```yaml
pull-request-branch-name:
separator: "-" # default is /
```
### Target Branch
```yaml
target-branch: "develop" # PRs target this instead of default branch
```
Note: When `target-branch` is set, security updates still target the default branch; all ecosystem config only applies to version updates.
## Schedule Optimization
### Intervals
Supported: `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron`
```yaml
schedule:
interval: "weekly"
day: "monday" # for weekly only
time: "09:00" # HH:MM format
timezone: "America/New_York"
```
### Cron Expressions
```yaml
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9 AM
```
### Cooldown Periods
Delay updates for newly released versions to avoid early-adopter issues:
```yaml
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include: ["*"]
exclude: ["critical-lib"]
```
Cooldown applies to version updates only, not security updates.
## Security Updates Configuration
### Enable via Repository Settings
Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.
### Group Security Updates in YAML
```yaml
groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
```
### Disable Version Updates (Security Only)
```yaml
open-pull-requests-limit: 0 # disables version update PRs
```
### Auto-Triage Rules
GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.
## PR Comment Commands
Interact with Dependabot PRs using `@dependabot` comments.
> **Note:** As of January 2026, merge/close/reopen commands have been deprecated.
> Use GitHub's native UI, CLI (`gh pr merge`), or auto-merge instead.
| Command | Effect |
|---|---|
| `@dependabot rebase` | Rebase the PR |
| `@dependabot recreate` | Recreate the PR from scratch |
| `@dependabot ignore this dependency` | Close and never update this dependency |
| `@dependabot ignore this major version` | Ignore this major version |
| `@dependabot ignore this minor version` | Ignore this minor version |
| `@dependabot ignore this patch version` | Ignore this patch version |
For grouped PRs, additional commands:
- `@dependabot ignore DEPENDENCY_NAME` — ignore specific dependency in group
- `@dependabot unignore DEPENDENCY_NAME` — clear ignores, reopen with updates
- `@dependabot unignore *` — clear all ignores for all dependencies in group
- `@dependabot show DEPENDENCY_NAME ignore conditions` — display current ignores
For the complete command reference, see `references/pr-commands.md`.
## Ignore and Allow Rules
### Ignore Specific Dependencies
```yaml
ignore:
- dependency-name: "lodash"
- dependency-name: "@types/node"
update-types: ["version-update:semver-patch"]
- dependency-name: "express"
versions: ["5.x"]
```
### Allow Only Specific Types
```yaml
allow:
- dependency-type: "production"
- dependency-name: "express"
```
Rule: If a dependency matches both `allow` and `ignore`, it is **ignored**.
### Exclude Paths
```yaml
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
```
## Advanced Options
### Versioning Strategy
Controls how Dependabot edits version constraints:
| Value | Behavior |
|---|---|
| `auto` | Default — increase for apps, widen for libraries |
| `increase` | Always increase minimum version |
| `increase-if-necessary` | Only change if current range excludes new version |
| `lockfile-only` | Only update lockfiles, ignore manifests |
| `widen` | Widen range to include both old and new versions |
### Rebase Strategy
```yaml
rebase-strategy: "disabled" # stop auto-rebasing
```
Allow rebase over extra commits by including `[dependabot skip]` in commit messages.
### Open PR Limit
```yaml
open-pull-requests-limit: 10 # default is 5 for version, 10 for security
```
Set to `0` to disable version updates entirely.
### Private Registries
```yaml
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
```
## FAQ
**Can I have multiple `dependabot.yml` files?**
No. GitHub supports exactly one file at `.github/dependabot.yml`. Use multiple `updates` entries within that file for different ecosystems and directories.
**Does Dependabot support pnpm?**
Yes. Use `package-ecosystem: "npm"` — Dependabot detects `pnpm-lock.yaml` automatically.
**How do I reduce PR noise in a monorepo?**
Use `groups` to batch updates, `directories` with globs for coverage, and `group-by: dependency-name` for cross-directory grouping. Consider `monthly` or `quarterly` intervals for low-priority ecosystems.
**How do I handle dependencies outside the workspace?**
Create a separate ecosystem entry with its own `directory` pointing to that location.
## Resources
- `references/dependabot-yml-reference.md` — Complete YAML options reference
- `references/pr-commands.md` — Full PR comment commands reference
- `references/example-configs.md` — Real-world configuration examples

374
skills/dependabot/references/dependabot-yml-reference.md Normal file
View File

@@ -0,0 +1,374 @@
# Dependabot YAML Options Reference
Complete reference for all configuration options in `.github/dependabot.yml`.
## File Structure
```yaml
version: 2 # Required, always 2
registries: # Optional: private registry access
REGISTRY_NAME:
type: "..."
url: "..."
multi-ecosystem-groups: # Optional: cross-ecosystem grouping
GROUP_NAME:
schedule:
interval: "..."
updates: # Required: list of ecosystem configurations
- package-ecosystem: "..." # Required
directory: "/" # Required (or directories)
schedule: # Required
interval: "..."
```
## Required Keys
### `version`
Always `2`. Must be at the top level.
### `package-ecosystem`
Defines which package manager to monitor. One entry per ecosystem (can have multiple entries for the same ecosystem with different directories).
| Package Manager | YAML Value | Manifest Files |
|---|---|---|
| Bazel | `bazel` | `MODULE.bazel`, `WORKSPACE` |
| Bun | `bun` | `bun.lockb` |
| Bundler (Ruby) | `bundler` | `Gemfile`, `Gemfile.lock` |
| Cargo (Rust) | `cargo` | `Cargo.toml`, `Cargo.lock` |
| Composer (PHP) | `composer` | `composer.json`, `composer.lock` |
| Conda | `conda` | `environment.yml` |
| Dev Containers | `devcontainers` | `devcontainer.json` |
| Docker | `docker` | `Dockerfile` |
| Docker Compose | `docker-compose` | `docker-compose.yml` |
| .NET SDK | `dotnet-sdk` | `global.json` |
| Elm | `elm` | `elm.json` |
| Git Submodules | `gitsubmodule` | `.gitmodules` |
| GitHub Actions | `github-actions` | `.github/workflows/*.yml` |
| Go Modules | `gomod` | `go.mod`, `go.sum` |
| Gradle | `gradle` | `build.gradle`, `build.gradle.kts` |
| Helm | `helm` | `Chart.yaml` |
| Hex (Elixir) | `mix` | `mix.exs`, `mix.lock` |
| Julia | `julia` | `Project.toml`, `Manifest.toml` |
| Maven | `maven` | `pom.xml` |
| npm/pnpm/yarn | `npm` | `package.json`, lockfiles |
| NuGet | `nuget` | `*.csproj`, `packages.config` |
| OpenTofu | `opentofu` | `*.tf` |
| pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml` |
| Pre-commit | `pre-commit` | `.pre-commit-config.yaml` |
| Pub (Dart/Flutter) | `pub` | `pubspec.yaml` |
| Rust Toolchain | `rust-toolchain` | `rust-toolchain.toml` |
| Swift | `swift` | `Package.swift` |
| Terraform | `terraform` | `*.tf` |
| uv | `uv` | `uv.lock`, `pyproject.toml` |
| vcpkg | `vcpkg` | `vcpkg.json` |
### `directory` / `directories`
Location of package manifests relative to repo root.
- `directory` — single path (no glob support)
- `directories` — list of paths (supports `*` and `**` globs)
```yaml
# Single directory
directory: "/"
# Multiple directories with globs
directories:
- "/"
- "/apps/*"
- "/packages/*"
```
For GitHub Actions, use `/` — Dependabot automatically searches `.github/workflows/`.
### `schedule`
How often to check for updates.
| Parameter | Values | Notes |
|---|---|---|
| `interval` | `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron` | Required |
| `day` | `monday``sunday` | Weekly only |
| `time` | `HH:MM` | UTC by default |
| `timezone` | IANA timezone string | e.g., `America/New_York` |
| `cronjob` | Cron expression | Required when interval is `cron` |
```yaml
schedule:
interval: "weekly"
day: "tuesday"
time: "09:00"
timezone: "Europe/London"
```
## Grouping Options
### `groups`
Group dependencies into fewer PRs.
| Parameter | Purpose | Values |
|---|---|---|
| `IDENTIFIER` | Group name (used in branch/PR title) | Letters, pipes, underscores, hyphens |
| `applies-to` | Update type | `version-updates` (default), `security-updates` |
| `dependency-type` | Filter by type | `development`, `production` |
| `patterns` | Include matching names | List of strings with `*` wildcard |
| `exclude-patterns` | Exclude matching names | List of strings with `*` wildcard |
| `update-types` | SemVer filter | `major`, `minor`, `patch` |
| `group-by` | Cross-directory grouping | `dependency-name` |
```yaml
groups:
dev-deps:
dependency-type: "development"
update-types: ["minor", "patch"]
angular:
patterns: ["@angular*"]
exclude-patterns: ["@angular/cdk"]
monorepo:
group-by: dependency-name
```
### `multi-ecosystem-groups` (top-level)
Group updates across different ecosystems into one PR.
```yaml
multi-ecosystem-groups:
GROUP_NAME:
schedule:
interval: "weekly"
labels: ["infrastructure"]
assignees: ["@platform-team"]
```
Assign ecosystems with `multi-ecosystem-group: "GROUP_NAME"` in each `updates` entry. The `patterns` key is required in each ecosystem entry when using this feature.
## Filtering Options
### `allow`
Explicitly define which dependencies to maintain.
| Parameter | Purpose |
|---|---|
| `dependency-name` | Match by name (supports `*` wildcard) |
| `dependency-type` | `direct`, `indirect`, `all`, `production`, `development` |
```yaml
allow:
- dependency-type: "production"
- dependency-name: "express"
```
### `ignore`
Exclude dependencies or versions from updates.
| Parameter | Purpose |
|---|---|
| `dependency-name` | Match by name (supports `*` wildcard) |
| `versions` | Specific versions or ranges (e.g., `["5.x"]`, `[">=2.0.0"]`) |
| `update-types` | SemVer levels: `version-update:semver-major`, `version-update:semver-minor`, `version-update:semver-patch` |
```yaml
ignore:
- dependency-name: "lodash"
- dependency-name: "@types/node"
update-types: ["version-update:semver-patch"]
- dependency-name: "express"
versions: ["5.x"]
```
Rule: if a dependency matches both `allow` and `ignore`, it is **ignored**.
### `exclude-paths`
Ignore specific directories or files during manifest scanning.
```yaml
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
- "*.lock"
```
Supports glob patterns: `*` (single segment), `**` (recursive), specific file paths.
## PR Customization Options
### `labels`
```yaml
labels:
- "dependencies"
- "npm"
```
Set `labels: []` to disable all labels. SemVer labels are always applied if they exist in the repo.
### `assignees`
```yaml
assignees:
- "user1"
- "user2"
```
Assignees must have write access (or read access for org repos).
### `milestone`
```yaml
milestone: 4 # numeric ID from milestone URL
```
### `commit-message`
```yaml
commit-message:
prefix: "deps" # up to 50 chars; colon auto-added if ends with letter/number
prefix-development: "deps-dev" # separate prefix for dev dependencies
include: "scope" # adds deps/deps-dev after prefix
```
### `pull-request-branch-name`
```yaml
pull-request-branch-name:
separator: "-" # options: "-", "_", "/"
```
### `target-branch`
```yaml
target-branch: "develop"
```
When set, version update config only applies to version updates. Security updates always target the default branch.
## Scheduling & Rate Limiting
### `cooldown`
Delay version updates for newly released versions:
| Parameter | Purpose |
|---|---|
| `default-days` | Default cooldown (190 days) |
| `semver-major-days` | Cooldown for major updates |
| `semver-minor-days` | Cooldown for minor updates |
| `semver-patch-days` | Cooldown for patch updates |
| `include` | Dependencies to apply cooldown (up to 150, supports `*`) |
| `exclude` | Dependencies exempt from cooldown (up to 150, takes precedence) |
```yaml
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include: ["*"]
exclude: ["critical-security-lib"]
```
### `open-pull-requests-limit`
```yaml
open-pull-requests-limit: 10 # default: 5 for version updates
```
Set to `0` to disable version updates entirely. Security updates have a separate internal limit of 10.
## Advanced Options
### `versioning-strategy`
Supported by: `bundler`, `cargo`, `composer`, `mix`, `npm`, `pip`, `pub`, `uv`.
| Value | Behavior |
|---|---|
| `auto` | Default: increase for apps, widen for libraries |
| `increase` | Always increase minimum version |
| `increase-if-necessary` | Only change if current range excludes new version |
| `lockfile-only` | Only update lockfiles |
| `widen` | Widen range to include old and new versions |
### `rebase-strategy`
```yaml
rebase-strategy: "disabled"
```
Default behavior: Dependabot auto-rebases PRs on conflicts. Rebasing stops 30 days after PR opens.
Allow Dependabot to force push over extra commits by including `[dependabot skip]` in commit messages.
### `vendor`
Supported by: `bundler`, `gomod`.
```yaml
vendor: true # maintain vendored dependencies
```
Go modules auto-detect vendored dependencies.
### `insecure-external-code-execution`
Supported by: `bundler`, `mix`, `pip`.
```yaml
insecure-external-code-execution: "allow"
```
Allows Dependabot to execute code in manifests during updates. Required for some ecosystems that run code during resolution.
## Private Registries
### Top-Level Registry Definition
```yaml
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
maven-central:
type: maven-repository
url: https://repo.maven.apache.org/maven2
username: ""
password: ""
docker-ghcr:
type: docker-registry
url: https://ghcr.io
username: ${{secrets.GHCR_USER}}
password: ${{secrets.GHCR_TOKEN}}
python-private:
type: python-index
url: https://pypi.example.com/simple
token: ${{secrets.PYPI_TOKEN}}
```
### Associating Registries with Ecosystems
```yaml
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
schedule:
interval: "weekly"
```
Use `registries: "*"` to allow access to all defined registries.

409
skills/dependabot/references/example-configs.md Normal file
View File

@@ -0,0 +1,409 @@
# Dependabot Configuration Examples
Real-world `dependabot.yml` configurations for common scenarios.
---
## 1. Basic Single Ecosystem
Minimal configuration for a single npm project:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
```
---
## 2. Monorepo with Glob Patterns
Turborepo/pnpm monorepo with multiple workspace packages:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
schedule:
interval: "weekly"
day: "monday"
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "deps"
include: "scope"
```
---
## 3. Grouped Dev vs Production Dependencies
Separate dev and production updates to prioritize review of production changes:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
production-deps:
dependency-type: "production"
dev-deps:
dependency-type: "development"
exclude-patterns:
- "eslint*"
linting:
patterns:
- "eslint*"
- "prettier*"
- "@typescript-eslint*"
```
---
## 4. Cross-Directory Grouping (Monorepo)
Create one PR per shared dependency across directories:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directories:
- "/frontend"
- "/admin-panel"
- "/mobile-app"
schedule:
interval: "weekly"
groups:
monorepo-dependencies:
group-by: dependency-name
```
When `lodash` updates in all three directories, Dependabot creates a single PR.
---
## 5. Multi-Ecosystem Group (Docker + Terraform)
Consolidate infrastructure dependency updates into a single PR:
```yaml
version: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
assignees: ["@platform-team"]
updates:
- package-ecosystem: "docker"
directory: "/"
patterns: ["nginx", "redis", "postgres"]
multi-ecosystem-group: "infrastructure"
- package-ecosystem: "terraform"
directory: "/"
patterns: ["aws*", "terraform-*"]
multi-ecosystem-group: "infrastructure"
```
---
## 6. Security Updates Only (Version Updates Disabled)
Monitor for security vulnerabilities without version update PRs:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0 # disables version update PRs
groups:
security-all:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0
```
---
## 7. Private Registries
Access private npm and Docker registries:
```yaml
version: 2
registries:
npm-private:
type: npm-registry
url: https://npm.internal.example.com
token: ${{secrets.NPM_PRIVATE_TOKEN}}
docker-ghcr:
type: docker-registry
url: https://ghcr.io
username: ${{secrets.GHCR_USER}}
password: ${{secrets.GHCR_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
registries:
- docker-ghcr
schedule:
interval: "weekly"
```
---
## 8. Cooldown Periods
Delay updates for newly released versions to avoid early-adopter bugs:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 14
semver-patch-days: 3
include: ["*"]
exclude:
- "security-critical-lib"
- "@company/internal-*"
```
---
## 9. Cron Scheduling
Run updates at a specific time using cron expressions:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9:00 AM
timezone: "America/New_York"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "cron"
cronjob: "0 6 1 * *" # First day of each month at 6:00 AM
```
---
## 10. Full-Featured Configuration
A comprehensive example combining multiple optimizations:
```yaml
version: 2
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
# npm — monorepo workspaces
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
registries:
- npm-private
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "America/New_York"
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
angular:
patterns: ["@angular*"]
update-types: ["minor", "patch"]
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
ignore:
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-major"]
cooldown:
default-days: 3
semver-major-days: 14
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "deps"
prefix-development: "deps-dev"
include: "scope"
assignees:
- "security-lead"
open-pull-requests-limit: 15
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
groups:
actions:
patterns: ["*"]
labels:
- "dependencies"
- "ci"
commit-message:
prefix: "ci"
# Docker
- package-ecosystem: "docker"
directories:
- "/services/*"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "docker"
commit-message:
prefix: "deps"
# pip
- package-ecosystem: "pip"
directory: "/scripts"
schedule:
interval: "monthly"
labels:
- "dependencies"
- "python"
versioning-strategy: "increase-if-necessary"
commit-message:
prefix: "deps"
# Terraform
- package-ecosystem: "terraform"
directory: "/infra"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "terraform"
commit-message:
prefix: "infra"
```
---
## 11. Ignore Patterns and Versioning Strategy
Control exactly what gets updated and how:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: "increase"
ignore:
# Never auto-update to Express 5.x (breaking changes)
- dependency-name: "express"
versions: ["5.x"]
# Skip patch updates for type definitions
- dependency-name: "@types/*"
update-types: ["version-update:semver-patch"]
# Ignore all updates for a vendored package
- dependency-name: "legacy-internal-lib"
allow:
- dependency-type: "all"
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
```
---
## 12. Target Non-Default Branch
Test updates on a development branch before production:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
labels:
- "dependencies"
- "staging"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
```
Note: Security updates always target the default branch regardless of `target-branch`.

91
skills/dependabot/references/pr-commands.md Normal file
View File

@@ -0,0 +1,91 @@
# Dependabot PR Comment Commands
Interact with Dependabot pull requests by commenting `@dependabot <command>`. Dependabot acknowledges commands with a thumbs-up reaction.
> **Deprecation Notice (January 27, 2026):** The following commands have been removed:
> `@dependabot merge`, `@dependabot squash and merge`, `@dependabot cancel merge`,
> `@dependabot close`, and `@dependabot reopen`.
> Use GitHub's native UI, CLI (`gh pr merge`), API, or auto-merge feature instead.
## Commands for Individual PRs
| Command | Description |
|---|---|
| `@dependabot rebase` | Rebase the PR against the target branch |
| `@dependabot recreate` | Recreate the PR from scratch, overwriting any manual edits |
| `@dependabot ignore this dependency` | Close the PR and stop all future updates for this dependency |
| `@dependabot ignore this major version` | Close and stop updates for this major version |
| `@dependabot ignore this minor version` | Close and stop updates for this minor version |
| `@dependabot ignore this patch version` | Close and stop updates for this patch version |
| `@dependabot show DEPENDENCY_NAME ignore conditions` | Display a table of all current ignore conditions for the dependency |
## Commands for Grouped Updates
These commands work on Dependabot PRs created by grouped version or security updates.
| Command | Description |
|---|---|
| `@dependabot ignore DEPENDENCY_NAME` | Close the PR and stop updating this dependency in the group |
| `@dependabot ignore DEPENDENCY_NAME major version` | Stop updating this dependency's major version |
| `@dependabot ignore DEPENDENCY_NAME minor version` | Stop updating this dependency's minor version |
| `@dependabot ignore DEPENDENCY_NAME patch version` | Stop updating this dependency's patch version |
| `@dependabot unignore *` | Close current PR, clear ALL ignore conditions for ALL dependencies in the group, open a new PR |
| `@dependabot unignore DEPENDENCY_NAME` | Close current PR, clear all ignores for a specific dependency, open a new PR with its updates |
| `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` | Close current PR, clear a specific ignore condition, open a new PR |
## Usage Examples
### Merge After CI (Use Native GitHub Features)
Auto-merge is the recommended replacement for the deprecated `@dependabot merge` command:
```bash
# Enable auto-merge via GitHub CLI
gh pr merge <PR_NUMBER> --auto --squash
# Or enable auto-merge via the GitHub UI:
# PR → "Enable auto-merge" → select merge method → confirm
```
GitHub will automatically merge the PR once all required CI checks pass.
### Ignore a Major Version Bump
```
@dependabot ignore this major version
```
Useful when a major version has breaking changes and migration is not yet planned.
### Check Active Ignore Conditions
```
@dependabot show express ignore conditions
```
Displays a table showing all ignore conditions currently stored for the `express` dependency.
### Unignore a Dependency in a Group
```
@dependabot unignore lodash
```
Closes the current grouped PR, clears all ignore conditions for `lodash`, and opens a new PR that includes available `lodash` updates.
### Unignore a Specific Condition
```
@dependabot unignore express [< 1.9, > 1.8.0]
```
Clears only the specified version range ignore for `express`.
## Tips
- **Rebase vs Recreate**: Use `rebase` to resolve conflicts while keeping your review state. Use `recreate` to start fresh if the PR has diverged significantly.
- **Force push over extra commits**: If you've pushed commits to a Dependabot branch and want Dependabot to rebase over them, include `[dependabot skip]` in your commit message.
- **Persistent ignores**: Ignore commands via PR comments are stored centrally. For transparency in team repos, prefer using `ignore` in `dependabot.yml` instead.
- **Merging Dependabot PRs**: Use GitHub's native auto-merge feature, the CLI (`gh pr merge`), or the web UI. The old `@dependabot merge` commands were deprecated in January 2026.
- **Closing/Reopening**: Use the GitHub UI or CLI. The old `@dependabot close` and `@dependabot reopen` commands were deprecated in January 2026.
- **Grouped commands**: When using `@dependabot unignore`, Dependabot closes the current PR and opens a fresh one with the updated dependency set.