How to schedule Dependabot checks to keep our dependencies updated
We can enable the Dependabot versions to check our GitHub repositories for outdated dependencies by adding a dependabot.yml file in each repository’s .github folder. We can also create a global .github folder for our organization or our GitHub user by creating a new repository with this name (“.github”) and adding the dependabot.yml.
I strongly recommend you use a service account instead of your user to be the assignee of the Dependabot pull requests if you’re setting it in your company repositories.
In this example, I’m updating the dependencies for GitHub Actions, NPM, and Docker.
# https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
# Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
directory: "/"
schedule:
interval: "weekly"
time: "08:00"
timezone: "Europe/Madrid"
assignees:
- "YOUR_USER or a SERVICE_ACCOUNT"
commit-message:
prefix: "chore(deps): update actions"
# Maintain dependencies for npm
- package-ecosystem: "npm"
directory: "/"
open-pull-requests-limit: 5
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
timezone: "Europe/Madrid"
assignees:
- "YOUR_USER or a SERVICE_ACCOUNT"
commit-message:
prefix: "chores(deps): update npm packages"
# Enable version updates for Docker
- package-ecosystem: "docker"
# Look for a `Dockerfile` in the `root` directory
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
timezone: "Europe/Madrid"
assignees:
- "YOUR_USER or a SERVICE_ACCOUNT"
commit-message:
prefix: "chores(deps): update Docker deps"Take attention to your timezone in the settings in the line:
timezone: "Europe/Madrid"In this example, in the commit message, I’m using the conventional commits standard. You can set it as you prefer.
commit-message:
prefix: "chores(deps): update npm packages"We can also ignore some dependencies by adding the ignore key.
# https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: 'github-actions'
# Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
directory: '/'
schedule:
interval: 'weekly'
time: '08:00'
timezone: 'Europe/Madrid'
assignees:
- 'YOUR_USER or a SERVICE_ACCOUNT'
commit-message:
prefix: 'chore(deps): update actions'
# Maintain dependencies for npm
- package-ecosystem: 'npm'
directory: '/'
open-pull-requests-limit: 5
schedule:
interval: 'weekly'
day: 'monday'
time: '08:00'
timezone: 'Europe/Madrid'
assignees:
- 'YOUR_USER or a SERVICE_ACCOUNT'
commit-message:
prefix: 'chores(deps): update npm packages'
ignore:
# Ignore updates to packages that start with 'react'
# Wildcards match zero or more arbitrary characters
- dependency-name: "react*"
# For all packages, ignore all patch updates
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
# Enable version updates for Docker
- package-ecosystem: "docker"
# Look for a `Dockerfile` in the `root` directory
directory: "/"
schedule:
interval: 'weekly'
day: 'monday'
time: '08:00'
timezone: 'Europe/Madrid'
assignees:
- 'YOUR_USER or a SERVICE_ACCOUNT'
commit-message:
prefix: 'chores(deps): update Docker deps'References
GitHub - Configuring Dependabot version updates
GitHub- Controlling which dependencies are updated by Dependabot
Like or comment on bluesky
