Dependabot
Dependabot is a tool to "monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date."
By default, dependabot scans your repository's default branch (e.g. main
). This can be overridden with target-branch.
Dependabot is configured to run by creating a dependabot.yml
in your .github/
directory
Notes around configuring your dependabot.yml file
can be found here
Here is an example of a very basic ruby bundler dependabot configuration. It looks for updates every day looking at the root directory for the package manifest:
Text Only
version: 2
updates:
- package-ecosystem: 'bundler'
directory: '/'
schedule:
interval: 'daily'
labels:
- "dependencies"
Keeping Actions up to date#
If you plan to use Github Actions for builds, tests, or deployments, dependabot can keep the Actions you are running up to date as well.
Text Only
More information on automating dependabot using actions can be found here.
- package-ecosystem: "github-actions"
# Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
directory: "/"
schedule:
interval: "weekly"