6

Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?

https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

Elina Akhmanova
  • 101
  • 1
  • 4
  • 1
    This. I would like to do some configuration, but I don't want to break what is working now. I want it to do what it is doing, but assign specific directories to specific teams. I guess I am out of luck because there's no doc on what the default configuration is. – nroose Apr 13 '22 at 16:44

2 Answers2

8

The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:

version: 2
updates:

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: "daily"

You can also see the necessary configurations in the table of the GitHub documentation.

flaxel
  • 4,173
  • 4
  • 17
  • 30
7

Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.

HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.

It'll also give you more control.

David A. Wheeler
  • 511
  • 6
  • 4