Commit f1f3df8
Muhamad Sazwan Bin Ismail
Update dependabot.yml
# π οΈ Custom `dependabot.yml` for Node.js, Python, Docker, and GitHub Actions
Below is a tailored Dependabot configuration for a repository that uses **Node.js**, **Python**, **Docker**, and **GitHub Actions**. Adjust the `directory` paths to match your actual project layout.
## π Assumed Project Structure
```
.
βββ .github/
β βββ workflows/ # GitHub Actions workflows
βββ frontend/ # Node.js application (if separate)
β βββ package.json
β βββ ...
βββ backend/ # Python application (if separate)
β βββ requirements.txt
β βββ ...
βββ Dockerfile # If Dockerfile is in root
βββ requirements.txt # If Python deps are in root
βββ package.json # If Node.js deps are in root
βββ ...
```
## π§ `dependabot.yml` Configuration
Create the file at `.github/dependabot.yml` with the following content:
```yaml
version: 2
updates:
# 1. Node.js (npm) dependencies
- package-ecosystem: "npm"
# Adjust directory if your package.json is in a subfolder
directory: "/" # root, or "/frontend", "/backend" etc.
schedule:
interval: "weekly" # daily, weekly, monthly
day: "monday" # optional
time: "09:00" # UTC
open-pull-requests-limit: 10
labels:
- "dependencies"
- "javascript"
reviewers:
- "your-github-username" # optional: assign reviewers
commit-message:
prefix: "chore(deps)"
prefix-development: "chore(deps-dev)"
# 2. Python (pip) dependencies
- package-ecosystem: "pip"
directory: "/" # root, or "/backend"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "python"
reviewers:
- "your-github-username"
# For pip, you can also specify a requirements file pattern
# requirements: "requirements.txt" # if not in default location
commit-message:
prefix: "chore(deps-pip)"
# 3. Docker
- package-ecosystem: "docker"
directory: "/" # location of Dockerfile
schedule:
interval: "monthly" # base images change less often
labels:
- "dependencies"
- "docker"
commit-message:
prefix: "chore(docker)"
# 4. GitHub Actions
- package-ecosystem: "github-actions"
directory: "/" # looks in .github/workflows
schedule:
interval: "weekly"
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(actions)"
```
## π Explanation of Options
- **`package-ecosystem`**: Identifies the dependency manager.
- **`directory`**: The directory where the manifest files are located. For GitHub Actions, it's always `/` (the root) because it scans `.github/workflows`.
- **`schedule`**: How often Dependabot checks for updates. Choose `daily`, `weekly`, or `monthly`. You can also specify `day` and `time`.
- **`open-pull-requests-limit`**: Max number of open PRs Dependabot will create at once (prevents flooding).
- **`labels`**: Labels to add to PRs (useful for filtering and automation).
- **`reviewers` / `assignees`**: GitHub usernames or team names to auto-assign.
- **`commit-message`**: Customise the commit message prefix.
## 𧩠Customising for Your Project
- If your **Node.js** and **Python** dependencies are in the **root**, set both directories to `/`.
- If they are in separate subfolders (e.g., `frontend` and `backend`), change the `directory` accordingly:
```yaml
- package-ecosystem: "npm"
directory: "/frontend"
- package-ecosystem: "pip"
directory: "/backend"
```
- For **Docker**, if you have multiple Dockerfiles in different directories, you can add separate blocks for each.
## π Enabling Dependabot
1. Commit the `.github/dependabot.yml` file to your default branch.
2. Ensure **Dependabot alerts** and **Dependabot security updates** are enabled in your repository settings (Settings β Code security and analysis).
3. Dependabot will run within 24 hours and create PRs based on your schedule.
## β
Best Practices
- Start with `open-pull-requests-limit: 5` if you're new to Dependabot.
- Use **labels** to easily filter PRs in your CI (e.g., only run certain tests on dependency PRs).
- Combine with **GitHub Actions** to automatically run tests on Dependabot PRs (Dependabot PRs have `github.actor == 'dependabot[bot]'`).
- Consider using **`versioning-strategy`** for npm: `increase` updates both `package.json` and `package-lock.json`; `lockfile-only` only updates the lockfile.
Need adjustments for your specific folder layout? Let me know! π
# π Enhanced `dependabot.yml` with Advanced Features
You asked for "Again" β let's take Dependabot configuration to the next level! Below is an **advanced, production-ready** configuration for your Node.js, Python, Docker, and GitHub Actions stack. It includes grouping, ignore rules, custom labels, and settings to work seamlessly with your CI.
## π Advanced `dependabot.yml`
```yaml
version: 2
updates:
# -------------------- Node.js (npm) --------------------
- package-ecosystem: "npm"
directory: "/" # or "/frontend"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Asia/Kuala_Lumpur"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "javascript"
- "automerge" # if you use auto-merge workflows
reviewers:
- "your-username"
assignees:
- "your-username"
# Group all minor/patch updates together
groups:
minor-and-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"
patterns:
- "*"
# Ignore major updates for certain packages
ignore:
- dependency-name: "react"
versions: [ ">=18.x" ]
- dependency-name: "express"
versions: [ "5.x" ]
versioning-strategy: increase # updates package.json as well
commit-message:
prefix: "chore(deps)"
prefix-development: "chore(deps-dev)"
include: "scope" # includes dependency name
# -------------------- Python (pip) --------------------
- package-ecosystem: "pip"
directory: "/" # or "/backend"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "python"
reviewers:
- "your-username"
groups:
python-minor-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"
patterns:
- "*"
ignore:
- dependency-name: "django"
versions: [ ">=4.0" ]
# For pip, you can specify requirements files explicitly
# requirements: "requirements.txt"
commit-message:
prefix: "chore(deps-pip)"
# -------------------- Docker --------------------
- package-ecosystem: "docker"
directory: "/" # where Dockerfile lives
schedule:
interval: "monthly" # base images change less often
labels:
- "dependencies"
- "docker"
commit-message:
prefix: "chore(docker)"
ignore:
- dependency-name: "node"
versions: [ ">=20" ] # if you want to stick to older LTS
# -------------------- GitHub Actions --------------------
- package-ecosystem: "github-actions"
directory: "/" # always root
schedule:
interval: "weekly"
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore(actions)"
```
## π§ Advanced Features Explained
### **1. Grouping Updates**
```yaml
groups:
minor-and-patch:
applies-to: version-updates
update-types: ["minor", "patch"]
patterns: ["*"]
```
- Groups all minor and patch updates into a **single pull request**. This reduces PR noise.
- You can create multiple groups (e.g., `major-updates`, `security-only`).
### **2. Ignoring Certain Versions**
```yaml
ignore:
- dependency-name: "react"
versions: [ ">=18.x" ]
```
- Prevents Dependabot from suggesting updates to React 18+ if you're not ready.
### **3. Timezone Support**
```yaml
timezone: "Asia/Kuala_Lumpur"
```
- Ensures the schedule runs at a sensible local time.
### **4. Commit Message Customisation**
```yaml
commit-message:
prefix: "chore(deps)"
include: "scope"
```
- Adds the dependency name to the commit message, e.g., `chore(deps): bump lodash from 4.17.20 to 4.17.21`.
### **5. Security Updates**
Dependabot also automatically opens PRs for **security vulnerabilities** β these are **not** controlled by `dependabot.yml`. They appear separately as "security" PRs with the label `security`. You can enable/disable them in repository settings.
## π€ Automating Dependabot PRs with GitHub Actions
You can automatically **approve and merge** Dependabot PRs that pass tests. Here's a simple workflow (`.github/workflows/auto-merge.yml`):
```yaml
name: Auto-merge Dependabot PRs
on: pull_request_target
permissions:
pull-requests: write
contents: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge
if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
This workflow:
- Approves any Dependabot PR.
- Auto-merges if it's a patch or minor update (after CI passes).
## π§ͺ Testing Dependabot Locally
You can't run Dependabot locally, but you can **manually trigger** a version update check using the GitHub CLI:
```bash
gh api -X POST /repos/{owner}/{repo}/dependabot/updates -f "package-ecosystem=npm" -f "directory=/" -f "schedule.interval=weekly"
```
This is useful for testing after changing `dependabot.yml`.
## π Next Steps
1. **Copy the enhanced config** into `.github/dependabot.yml`.
2. **Adjust directories** and **ignore rules** to match your project.
3. **Commit and push** to your default branch.
4. **Monitor** the first run (within 24 hours) β check the **Insights β Dependency graph β Dependabot** tab.
Need further customisation? Let me know! π1 parent dcb2ee1 commit f1f3df8
1 file changed
+132
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
45 | 45 | | |
46 | 46 | | |
47 | 47 | | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
0 commit comments