|
| 1 | +# Dependabot Configuration |
| 2 | + |
| 3 | +This repository uses [GitHub Dependabot](https://docs.github.com/en/code-security/dependabot) for automated dependency updates. |
| 4 | + |
| 5 | +## Configuration |
| 6 | + |
| 7 | +The Dependabot configuration is defined in [`.github/dependabot.yml`](.github/dependabot.yml) and monitors: |
| 8 | + |
| 9 | +### NuGet Packages |
| 10 | +- **Schedule**: Weekly updates on Monday at 06:00 UTC |
| 11 | +- **Target**: All packages defined in `Directory.Packages.props` (Central Package Management) |
| 12 | +- **Grouping**: Related packages are grouped together to reduce PR noise: |
| 13 | + - `microsoft-extensions`: Microsoft.Extensions.* packages (15 packages) |
| 14 | + - `microsoft-aspnetcore`: Microsoft.AspNetCore.* packages (2 packages) |
| 15 | + - `microsoft-identity`: Microsoft.IdentityModel.* packages |
| 16 | + - `microsoft-build-tools`: Build and testing Microsoft packages |
| 17 | + - `system-packages`: System.* packages (9 packages) |
| 18 | + - `opentelemetry`: OpenTelemetry.* packages (5 packages) |
| 19 | + - `serilog`: Serilog.* packages (5 packages) |
| 20 | + - `testing`: Testing frameworks (xunit, Moq, coverlet, etc.) |
| 21 | + |
| 22 | +### GitHub Actions |
| 23 | +- **Schedule**: Weekly updates on Monday at 06:00 UTC |
| 24 | +- **Target**: All workflow files in `.github/workflows/` |
| 25 | +- **Limit**: Maximum 5 concurrent pull requests |
| 26 | + |
| 27 | +## How It Works |
| 28 | + |
| 29 | +1. **Dependency Detection**: Dependabot scans `Directory.Packages.props` for NuGet package versions and `.github/workflows/*.yml` for GitHub Actions |
| 30 | +2. **Update Checks**: Every Monday at 06:00 UTC, Dependabot checks for newer versions |
| 31 | +3. **Grouped Updates**: Related packages are updated together in single PRs to reduce maintenance overhead |
| 32 | +4. **Pull Request Creation**: Dependabot creates PRs with: |
| 33 | + - Descriptive titles and changelogs |
| 34 | + - Labels: `dependencies`, `nuget` or `github-actions` |
| 35 | + - Automatic conflict resolution when possible |
| 36 | + |
| 37 | +## Verification |
| 38 | + |
| 39 | +After configuration deployment, you can verify Dependabot is working by: |
| 40 | + |
| 41 | +1. **Check Insights**: Go to repository → Insights → Dependency graph → Dependabot |
| 42 | +2. **Monitor PRs**: Watch for PRs from `dependabot[bot]` with `dependencies` label |
| 43 | +3. **Review Logs**: Check the Dependabot tab in repository settings for update logs |
| 44 | + |
| 45 | +## Maintenance |
| 46 | + |
| 47 | +- **Adding New Groups**: Update the `groups` section in `dependabot.yml` for new package families |
| 48 | +- **Changing Schedule**: Modify the `schedule` section to adjust update frequency |
| 49 | +- **Adjusting Limits**: Change `open-pull-requests-limit` to control concurrent PRs |
| 50 | + |
| 51 | +## Troubleshooting |
| 52 | + |
| 53 | +If Dependabot isn't creating updates: |
| 54 | +1. Check the repository has Dependabot enabled in Settings → Security & analysis |
| 55 | +2. Verify the configuration syntax using a YAML validator |
| 56 | +3. Review Dependabot logs in repository Settings → Insights → Dependency graph → Dependabot |
| 57 | +4. Ensure the target directories and files exist and are accessible |
| 58 | + |
| 59 | +For more information, see the [official Dependabot documentation](https://docs.github.com/en/code-security/dependabot). |
0 commit comments