Customizing Dependabot pull requests to fit your processes

Learn how to tailor your Dependabot pull requests to better suit your own internal workflows.

누가 이 기능을 사용할 수 있나요?

Users with write access

이 문서의 내용

There are various ways to customize your Dependabot pull requests so that they better suit your own internal processes.

For example, to integrate Dependabot's pull requests into your CI/CD pipelines, it can apply custom labels to pull requests, which you can then use to trigger action workflows.

There are several different customization options which can all be used in combination, and tailored per package ecosystem.

Automatically adding assignees

By default, Dependabot raises pull requests without any assignees.

To automatically assign pull requests to a designated security team, you can use assignees to set these values per package ecosystem.

The example dependabot.yml file below changes the npm configuration so that all pull requests opened with version and security updates for npm have:

  • An individual ("user-name") automatically assigned to the pull requests.
YAML
# `dependabot.yml` file with
#  assignee for all npm pull requests

version: 2
updates:
  # Keep npm dependencies up to date
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Raise all npm pull requests with assignees
    assignees:
      - "user-name"

Automatically adding reviewers

By default, Dependabot raises pull requests without any reviewers.

To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See 코드 소유자 정보.

Labeling pull requests with custom labels

기본적으로 Dependabot는 레이블 dependencies와 함께 끌어오기 요청을 생성합니다.

Dependabot은(는) 요청을 끌어오기 위해 에코시스템 레이블(예: java또는 npm``github-actions)도 적용합니다. Dependabot은(는) 필터링 및 심사를 개선하기 위해 단일 에코시스템 업데이트를 비롯한 모든 끌어오기 요청에 dependencies 레이블과 생태계 레이블을 추가합니다.

Dependabot 은 리포지토리에 아직 없는 경우 끌어오기 요청에 적용되는 기본 레이블을 만듭니다. 기본 설정 대신 사용자 지정 레이블을 사용하려면 각 패키지 에코시스템에 해당하는 파일의 labels 옵션을 설정하십시오. 그렇게 하면 기본 설정이 변경됩니다. 자세한 내용은 레이블 관리labels을(를) 참조하세요.

시맨틱 버전(SemVer) 레이블이 리포지토리에 있는 경우, Dependabot는 버전 업데이트 유형(major, minor, patch)을 나타내기 위해 이를 자동으로 적용합니다. 이러한 레이블은 정의한 사용자 지정 레이블 외에 적용됩니다.

You can use labels to override the default labels and specify your own custom labels per package ecosystem. This is useful if, for example, you want to:

  • Use labels to assign a priority to certain pull requests.
  • Use labels to trigger another workflow, such as automatically adding the pull request onto a project board.

The example dependabot.yml file below changes the npm configuration so that all pull requests opened with version and security updates for npm have custom labels.

YAML
# `dependabot.yml` file with
# customized npm configuration

version: 2
updates:
  # Keep npm dependencies up to date
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Raise all npm pull requests with custom labels
    labels:
      - "npm dependencies"
      - "triage-board"

기본이 아닌 분기에서 버전 업데이트를 확인하는 데 target-branch를 사용하지 않는 한 이 옵션을 설정하면 이 패키지 관리자의 매니페스트 파일에 대한 보안 업데이트 끌어오기 요청에도 영향을 줍니다.

See also labels.

Adding a prefix to commit messages

By default, Dependabot attempts to detect your commit message preferences and use similar patterns. In addition, Dependabot populates the titles of pull requests based on the commit messages.

You can specify your own prefix for Dependabot's commit messages (and pull request titles) for a specific package ecosystem. This can be useful if, for example, you're running automations that process commit messages or pull requests titles.

To specify your preferences explicitly, use commit-message together with the following supported options:

  • prefix:
    • Specifies a prefix for all commit messages.
    • Prefix is also added to the start of the pull request title.
  • prefix-development:
    • Specifies a separate prefix for all commit messages that update development dependencies, as defined by the package manager or ecosystem.
    • Supported for bundler, composer, mix, maven, npm, and pip.
  • include: "scope":
    • Specifies that any prefix is followed by the dependency types (deps or deps-dev) updated in the commit.

The example below shows several different options, tailored per package ecosystem:

YAML
# Customize commit messages

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    commit-message:
      # Prefix all commit messages with "npm: "
      prefix: "npm"

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    commit-message:
      # Prefix all commit messages with "[docker] " (no colon, but a trailing whitespace)
      prefix: "[docker] "

  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "weekly"
    # Prefix all commit messages with "Composer" plus its scope, that is, a
    # list of updated dependencies
    commit-message:
      prefix: "Composer"
      include: "scope"

  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    # Include a list of updated dependencies
    # with a prefix determined by the dependency group
    commit-message:
      prefix: "pip prod"
      prefix-development: "pip dev"

기본이 아닌 분기에서 버전 업데이트를 확인하는 데 target-branch를 사용하지 않는 한 이 옵션을 설정하면 이 패키지 관리자의 매니페스트 파일에 대한 보안 업데이트 끌어오기 요청에도 영향을 줍니다.

See also commit-message.

Associating pull requests with a milestone

Milestones help you track the progress of groups of pull requests (or issues) towards a project goal or release. With Dependabot, you can use the milestone option to associate pull requests for dependency updates with a specific milestone.

You must specify the numeric identifier of the milestone and not its label. To find the numeric identifier, check the final part of the page URL, after milestone. For example, for https://github.com/<org>/<repo>/milestone/3, "3" is the numeric identifier of the milestone.

YAML
# Specify a milestone for pull requests

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Associate pull requests with milestone "4"
    milestone: 4

기본이 아닌 분기에서 버전 업데이트를 확인하는 데 target-branch를 사용하지 않는 한 이 옵션을 설정하면 이 패키지 관리자의 매니페스트 파일에 대한 보안 업데이트 끌어오기 요청에도 영향을 줍니다.

See also milestone and 마일스톤 정보.

Changing the separator in the pull request branch name

Dependabot generates a branch for each pull request. Each branch name includes dependabot, as well as the name of the package manager and the dependency to be updated. By default, these parts of the branch name are separated by a / symbol, for example:

  • dependabot/npm_and_yarn/next_js/acorn-6.4.1

To maintain supportability or consistency with your existing processes, you may need to ensure your branch names align with your team's existing conventions. In this case, you can use pull-request-branch-name.separator to specify a different separator, choosing either _, /, or "-".

In the below example, the npm configuration changes the default separator from / to "-", so that it would appear as such:

  • Default (/): dependabot/npm_and_yarn/next_js/acorn-6.4.1
  • Customized ("-"): dependabot-npm_and_yarn-next_js-acorn-6.4.1

Note that the hyphen symbol ("-") must be surrounded by quotation marks so that it's not interpreted as starting an empty YAML list.

YAML
# Specify a different separator for branch names

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    pull-request-branch-name:
      # Change the default separator (/) to a hyphen (-)
      separator: "-"

기본이 아닌 분기에서 버전 업데이트를 확인하는 데 target-branch를 사용하지 않는 한 이 옵션을 설정하면 이 패키지 관리자의 매니페스트 파일에 대한 보안 업데이트 끌어오기 요청에도 영향을 줍니다.

See also pull-request-branch-name.separator.

Targeting pull requests against a non-default branch

By default, Dependabot checks for manifest files on the default branch and raises pull requests for updates against the default branch.

Generally, it makes most sense to keep Dependabot's checks and updates on the default branch. However, there may be some cases where you may need to specify a different target branch. If, for example, your team's processes require you to first test and validate updates on a non-production branch, you can use target-branch to specify a different branch for Dependabot to raise pull requests against.

참고 항목

Dependabot raises pull requests for security updates against the default branch only. If you use target-branch, then as a result, all configuration settings for that package manager will then only apply to version updates, and not security updates.

YAML
# Specify a non-default branch for pull requests for pip

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    # Raise pull requests for version updates
    # to pip against the `develop` branch
    target-branch: "develop"
    # Labels on pull requests for version updates only
    labels:
      - "pip dependencies"

  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      # Check for npm updates on Sundays
      day: "sunday"
    # Labels on pull requests for security and version updates
    labels:
      - "npm dependencies"

See also target-branch.