Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-03-19 15:45:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8b1e9350ceb08ca0de5ec1da548c3168df7edc4
awesome-copilot/skills/dependabot/references/pr-commands.md
Ve Sharma f601edcc87 GHAS Pack - Agent Skills for GitHub Advanced Security - Includes Dependabot, CodeQL, and Secret Scanning (#1049) 
* feat: add dependabot skill

* feat: add codeql skill

* feat: add secret-scanning skill

* feat: run start and update docs

* fix: replace deprecated @dependabot merge example with native auto-merge guidance

The usage example still showed @dependabot merge despite the Jan 2026
deprecation. Replaced with gh pr merge --auto and GitHub UI auto-merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-18 11:15:29 +11:00

92 lines
4.2 KiB
Markdown
Raw Blame History

# Dependabot PR Comment Commands
Interact with Dependabot pull requests by commenting `@dependabot <command>`. Dependabot acknowledges commands with a thumbs-up reaction.
> **Deprecation Notice (January 27, 2026):** The following commands have been removed:
> `@dependabot merge`, `@dependabot squash and merge`, `@dependabot cancel merge`,
> `@dependabot close`, and `@dependabot reopen`.
> Use GitHub's native UI, CLI (`gh pr merge`), API, or auto-merge feature instead.
## Commands for Individual PRs
| Command | Description |
|---|---|
| `@dependabot rebase` | Rebase the PR against the target branch |
| `@dependabot recreate` | Recreate the PR from scratch, overwriting any manual edits |
| `@dependabot ignore this dependency` | Close the PR and stop all future updates for this dependency |
| `@dependabot ignore this major version` | Close and stop updates for this major version |
| `@dependabot ignore this minor version` | Close and stop updates for this minor version |
| `@dependabot ignore this patch version` | Close and stop updates for this patch version |
| `@dependabot show DEPENDENCY_NAME ignore conditions` | Display a table of all current ignore conditions for the dependency |
## Commands for Grouped Updates
These commands work on Dependabot PRs created by grouped version or security updates.
| Command | Description |
|---|---|
| `@dependabot ignore DEPENDENCY_NAME` | Close the PR and stop updating this dependency in the group |
| `@dependabot ignore DEPENDENCY_NAME major version` | Stop updating this dependency's major version |
| `@dependabot ignore DEPENDENCY_NAME minor version` | Stop updating this dependency's minor version |
| `@dependabot ignore DEPENDENCY_NAME patch version` | Stop updating this dependency's patch version |
| `@dependabot unignore *` | Close current PR, clear ALL ignore conditions for ALL dependencies in the group, open a new PR |
| `@dependabot unignore DEPENDENCY_NAME` | Close current PR, clear all ignores for a specific dependency, open a new PR with its updates |
| `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` | Close current PR, clear a specific ignore condition, open a new PR |
## Usage Examples
### Merge After CI (Use Native GitHub Features)
Auto-merge is the recommended replacement for the deprecated `@dependabot merge` command:
```bash
# Enable auto-merge via GitHub CLI
gh pr merge <PR_NUMBER> --auto --squash
# Or enable auto-merge via the GitHub UI:
# PR → "Enable auto-merge" → select merge method → confirm
```
GitHub will automatically merge the PR once all required CI checks pass.
### Ignore a Major Version Bump
```
@dependabot ignore this major version
```
Useful when a major version has breaking changes and migration is not yet planned.
### Check Active Ignore Conditions
```
@dependabot show express ignore conditions
```
Displays a table showing all ignore conditions currently stored for the `express` dependency.
### Unignore a Dependency in a Group
```
@dependabot unignore lodash
```
Closes the current grouped PR, clears all ignore conditions for `lodash`, and opens a new PR that includes available `lodash` updates.
### Unignore a Specific Condition
```
@dependabot unignore express [< 1.9, > 1.8.0]
```
Clears only the specified version range ignore for `express`.
## Tips
- **Rebase vs Recreate**: Use `rebase` to resolve conflicts while keeping your review state. Use `recreate` to start fresh if the PR has diverged significantly.
- **Force push over extra commits**: If you've pushed commits to a Dependabot branch and want Dependabot to rebase over them, include `[dependabot skip]` in your commit message.
- **Persistent ignores**: Ignore commands via PR comments are stored centrally. For transparency in team repos, prefer using `ignore` in `dependabot.yml` instead.
- **Merging Dependabot PRs**: Use GitHub's native auto-merge feature, the CLI (`gh pr merge`), or the web UI. The old `@dependabot merge` commands were deprecated in January 2026.
- **Closing/Reopening**: Use the GitHub UI or CLI. The old `@dependabot close` and `@dependabot reopen` commands were deprecated in January 2026.
- **Grouped commands**: When using `@dependabot unignore`, Dependabot closes the current PR and opens a fresh one with the updated dependency set.
Reference in New Issue View Git Blame Copy Permalink