Skip to content

Dependabot

Official Dependabot Docs

Dependabot is a tool to "monitor vulnerabilities in dependencies used in your project and keep your dependencies up-to-date."

By default, dependabot scans your repository's default branch (e.g. main). This can be overridden with target-branch.

Dependabot is configured to run by creating a dependabot.yml in your .github/ directory

Notes around configuring your dependabot.yml file can be found here

Here is an example of a very basic ruby bundler dependabot configuration. It looks for updates every day looking at the root directory for the package manifest:

Text Only
version: 2
updates:
  - package-ecosystem: 'bundler'
    directory: '/'
    schedule:
      interval: 'daily'
    labels:
      - "dependencies"

Keeping Actions up to date#

If you plan to use Github Actions for builds, tests, or deployments, dependabot can keep the Actions you are running up to date as well.

Text Only
  - package-ecosystem: "github-actions"
    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
    directory: "/"
    schedule:
      interval: "weekly"
More information on automating dependabot using actions can be found here.