Contributors can enable Dependabot for their repositories by making the following changes to the repository.
Enabling Branch Protection Rules
Before you configure Dependabot, you need to ensure that Branch Protection Rules are in place for at least the main branch of your repository.
At the top of the Repository page, navigate to Settings, expand Rules, and click on Rulesets. There should be one Ruleset titled “Branch Protection Rules” with a description “3 branch rules • targeting 1 branch”
If you see the message “You haven’t created any rulesets”, click on New Ruleset and select Import a Ruleset. Import the contents of the Branch Protection Rules.jsonJSON JSON, or JavaScript Object Notation, is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML. file, available for download here.
Once imported, scroll to the bottom of the new Ruleset and click Create.
With all this in place, you can move onto creating the Dependabot configuration.
Creating the Dependabot Configuration
This step involves creating a Dependabot Configuration (.github/dependabot.yml) file in your repository. This allows Dependabot to monitor dependencies, create pull requests when updates are available, and assign them to you to review and approve.
Step 1: Create the .github Directory (if it doesn’t exist)
mkdir -p .githubStep 2: Create the dependabot.yml File
Create a new file at .github/dependabot.yml:
touch .github/dependabot.ymlStep 3: Add the Configuration
Open .github/dependabot.yml in your text editor and add the appropriate configuration based on your dependency type (see Examples section below).
Step 4: Commit and Push the changes
git add .github/dependabot.yml
git commit -m "Add Dependabot configuration"
git push origin mainReplace main with the name of your default branch if it is different.
Examples for Different Dependency Types
Important Notes:
- When specifying the directory, make sure to adjust the path according to where your dependency files are located in your repository. For example, if your
package.jsonorcomposer.jsonfiles are in the root directory, use"/". If they are in a subdirectory, specify that path (e.g.,"/subdirectory-name"). - Under the
assigneessection, replaceGITHUB_USERNAMEwith your GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ username.
Example 1: npm Dependencies Only
If your repository has npm dependencies (i.e., package.json files), use this configuration in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the root directory
directory: "/"
# Check the npm registry for updates every week
schedule:
interval: "weekly"
# Raise all npm pull requests with assignees
assignees:
- "YOUR_GITHUB_USERNAME"For npm dependencies in subdirectories, add additional update blocks:
version: 2
updates:
# Enable version updates for npm in the root directory
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
assignees:
- "YOUR_GITHUB_USERNAME"
# Enable version updates for npm in a subdirectory
- package-ecosystem: "npm"
directory: "/subdirectory-name"
schedule:
interval: "weekly"
assignees:
- "YOUR_GITHUB_USERNAME"Example 2: Composer Dependencies Only
If your repository has composer dependencies (i.e., composer.json files), use this configuration in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for composer
- package-ecosystem: "composer"
# Look for `composer.json` and `composer.lock` files in the root directory
directory: "/"
# Check for updates every week
schedule:
interval: "weekly"
# Raise all composer pull requests with assignees
assignees:
- "YOUR_GITHUB_USERNAME"Example 3: Both npm and Composer Dependencies
If your repository has both npm and composer dependencies, combine both configurations in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the root directory
directory: "/"
# Check the npm registry for updates every week
schedule:
interval: "weekly"
# Raise all npm pull requests with assignees
assignees:
- "YOUR_GITHUB_USERNAME"
# Enable version updates for composer
- package-ecosystem: "composer"
# Look for `composer.json` and `composer.lock` files in the root directory
directory: "/"
# Check for updates every week
schedule:
interval: "weekly"
# Raise all composer pull requests with assignees
assignees:
- "YOUR_GITHUB_USERNAME"For multiple directories with different package managers, you can mix and match:
version: 2
updates:
# npm in subdirectory 1
- package-ecosystem: "npm"
directory: "/subdirectory-1"
schedule:
interval: "weekly"
assignees:
- "YOUR_GITHUB_USERNAME"
# npm in subdirectory 2
- package-ecosystem: "npm"
directory: "/subdirectory-2"
schedule:
interval: "weekly"
assignees:
- "YOUR_GITHUB_USERNAME"
# Composer in root directory
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
assignees:
- "YOUR_GITHUB_USERNAME"Creating the Auto-Approve and Auto-Merge Workflow
Once the Dependabot configuration is in place, you can optionally set up GitHub Actions to automatically approve and merge Dependabot pull requests. This step is optional but recommended and requires two additional workflow files to implement. The advantage of this approach is that it reduces the manual effort required by you to keep dependencies up to date.
The two files you will create are:
- Auto-Approve Workflow (
.github/workflows/dependabot-auto-approve.yml) – Automatically approves Dependabot pull requests - Auto-Merge Workflow (
.github/workflows/dependabot-auto-merge.yml) – Automatically enables auto-merge for Dependabot pull requests
Step 1: Create the Workflows Directory (if it doesn’t exist)
mkdir -p .github/workflowsStep 2: Create the Auto-Approve Workflow File
Create a new file at .github/workflows/dependabot-auto-approve.yml:
touch .github/workflows/dependabot-auto-approve.ymlStep 3: Add the Workflow Configuration
Open .github/workflows/dependabot-auto-approve.yml in your text editor and add the following content:
name: Dependabot Auto-Approve
on: pull_request
permissions:
pull-requests: write
jobs:
dependabot-approve:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve Dependabot PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Step 4: Commit and Push the changes
git add .github/workflows/dependabot-auto-approve.yml
git commit -m "Add Dependabot auto-approve workflow"
git push origin mainCreating the Auto-Merge Workflow
Step 1: Create the Auto-Merge Workflow File
Create a new file at .github/workflows/dependabot-auto-merge.yml:
touch .github/workflows/dependabot-auto-merge.ymlStep 2: Add the Workflow Configuration
Open .github/workflows/dependabot-auto-merge.yml in your text editor and add the following content:
name: Dependabot Auto-Merge
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
dependabot-auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Step 4: Commit and Push the changes
git add .github/workflows/dependabot-auto-merge.yml
git commit -m "Add Dependabot auto-merge workflow"
git push origin mainTo see these files in action, you can refer to the Plugin developer repository.
Auto-merge failures and merge conflicts
In some cases, the auto-merge workflow may fail. This is often due to merge conflicts in files that maintain package dependencies (e.g., composer.json, composer-lock.json, package.json, package-lock.json). In these cases, you will need to manually resolve the merge conflicts in the pull request before it can be merged, then merge it yourself.
