Commit f951cf0
Add dependabot.yml for dependency version updates (#1296)
### What
Adding base config for `dependabot.yml`, which enables automatic PRs for
[dependency version
updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)
through Dependabot. This base config sets version updates to run on a
`weekly` schedule, groups PRs for version updates according to `major`
vs `minor/patch` updates, and sets max PRs that Dependabot can create
for version updates per package-ecosystem.
But if you would like, several config options can be added to
`dependabot.yml` as per
[configuration-options-for-the-dependabot.yml-file](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)
to customize version updates, such as:
- Group PRs for version updates by [different
criteria](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups)
- Set `dependency-type` option in [allow
option](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow)
to `all` for enabling version updates for both direct and indirect
dependencies (as well as prod and dev dependencies). By default, PRs for
only updating direct prod+dev dependencies versions are created.
- Set
[reviewers](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers)
for Dependabot version updates PRs
- Etc.
Also, automatic PRs for [security
updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
through Dependabot are enabled through a global setting. PRs for
security updates will be grouped as much as possible across directories
and per ecosystem through the global setting
([grouping-dependabot-security-updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-security-updates-into-a-single-pull-request)).
But `dependabot.yml` can also be used for more granular security updates
settings in addition to version updates (some of the options in
`dependabot.yml` are shared across security and version updates), such
as:
- Grouping security updates according to custom criteria:
[overriding-the-default-behavior-with-a-configuration-file](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file)
- Only allowing automatic PRs for security updates for certain
dependencies by configuring [allow
directive](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow)
to a certain value such as `production, development, direct, indirect`.
By default, security updates are applied to all dependencies (direct,
indirect, production, development).
- Etc.
### Why
To enable using the latest package versions, and provide a way to
customize Dependabot security updates PRs.
### Known limitations
N/A
---------
Co-authored-by: Leigh McCulloch <351529+leighmcculloch@users.noreply.github.com>1 parent 7957cec commit f951cf0
1 file changed
+36
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
0 commit comments