diff --git a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md index de993e9f33..96d046d4f6 100644 --- a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md +++ b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md @@ -42,6 +42,12 @@ For detailed guidance, see [Prioritizing meaningful updates](/code-security/depe {% ifversion dependabot-reviewers-deprecation %} +## Automatically adding assignees + +Use `assignees` to automatically add individuals or teams as assignees to pull requests. + +For detailed guidance, see [Automatically adding assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-assignees). + ## Automatically adding reviewers To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). @@ -50,8 +56,10 @@ To ensure your project's security updates get addressed promptly by the appropri ## Automatically adding reviewers and assignees -> [!NOTE] -> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. +> [!IMPORTANT] +> The `reviewers` property is closing down and will be removed in a future release of {% data variables.product.prodname_ghe_server %}. +> +> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests. @@ -91,14 +99,13 @@ In this example, the `dependabot.yml` file: * Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees. * Groups security updates for golang dependencies into a single pull request. -{% ifversion dependabot-reviewers-deprecation %} - ```yaml copy # Example configuration file that: # - Uses a private registry for npm updates # - Ignores lodash dependency # - Disables version-updates # - Applies custom labels +# - Adds assignees # - Group security updates for golang dependencies into a single pull request version: 2 @@ -138,64 +145,10 @@ updates: - "golang.org*" ``` -{% else %} - -```yaml copy -# Example configuration file that: -# - Uses a private registry for npm updates -# - Ignores lodash dependency -# - Disables version-updates -# - Applies custom labels -# - Adds reviewers and assignees -# - Group security updates for golang dependencies into a single pull request - -version: 2 -registries: - # Define a private npm registry with the name `example` - example: - type: npm-registry - url: https://example.com - token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %} -updates: - - package-ecosystem: "npm" - directory: "/src/npm-project" - schedule: - interval: "daily" - # For Lodash, ignore all updates - ignore: - - dependency-name: "lodash" - # Disable version updates for npm dependencies - open-pull-requests-limit: 0 - registries: - # Ask Dependabot to use the private registry for npm - - example - # Raise all npm pull requests for security updates with custom labels - labels: - - "npm dependencies" - - "triage-board" - # Raise all npm pull requests for security updates with reviewers - reviewers: - - "my-org/team-name" - - "octocat" - # Raise all npm pull requests for security updates with assignees - assignees: - - "user-name" - - package-ecosystem: "gomod" - groups: - # Group security updates for golang dependencies - # into a single pull request - golang: - applies-to: security-updates - patterns: - - "golang.org*" -``` - -{% endif %} - ## Example 2: configuration for version updates and security updates In this example, the `dependabot.yml` file: -* Is customized so that {% data variables.product.prodname_dependabot %} adds reviewers and custom labels to both version updates and security updates. +* Is customized so that {% data variables.product.prodname_dependabot %} adds custom labels to both version updates and security updates. * Uses the `groups` customization option to create two groups ("`angular`" and "`production-dependencies`") in order to group multiple updates into single pull requests. * Specifies that the `groups` customization for `angular` applies to security updates only. * Specifies that the `groups` customization for `production-dependencies` applies to version updates only. @@ -212,10 +165,6 @@ updates: labels: - "npm dependencies" - "triage-board" - # Raise all npm pull requests for security and version updates with reviewers - reviewers: - - "my-org/team-name" - - "octocat" groups: angular: # Group security updates for Angular dependencies into a single pull request diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md index 347d1e6508..65cbca2666 100644 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md @@ -19,37 +19,56 @@ shortTitle: Customize Dependabot PRs There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes. -{% ifversion dependabot-reviewers-deprecation %} - For example, to integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. -{% else %} - -For example: -* To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem. -* To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. - -{% endif %} - There are several different customization options which can all be used in combination, and tailored per package ecosystem. {% ifversion dependabot-reviewers-deprecation %} +## Automatically adding assignees + +By default, {% data variables.product.prodname_dependabot %} raises pull requests without any assignees. + +To automatically assign pull requests to a designated security team, you can use `assignees` to set these values per package ecosystem. + +The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have: +* An individual ("`user-name`") automatically assigned to the pull requests. + +```yaml copy +# `dependabot.yml` file with +# assignee for all npm pull requests + +version: 2 +updates: + # Keep npm dependencies up to date + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + # Raise all npm pull requests with assignees + assignees: + - "user-name" +``` + ## Automatically adding reviewers -To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). +By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers. + +To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to {% data variables.product.prodname_dependabot %} pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). {% else %} ## Automatically adding reviewers and assignees +> [!IMPORTANT] +> The `reviewers` property is closing down and will be removed in a future release of {% data variables.product.prodname_ghe_server %}. +> +> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). + By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem. -> [!NOTE] -> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. - The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have: * A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests. * An individual ("`user-name`") automatically assigned to the pull requests. @@ -74,10 +93,6 @@ updates: - "user-name" ``` -{% data reusables.dependabot.option-affects-security-updates %} - -See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--). - {% endif %} ## Labeling pull requests with custom labels diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index b04378ebb0..e381d65138 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -27,7 +27,7 @@ redirect_from: You can use {% data variables.product.prodname_actions %} to perform automated tasks when {% data variables.product.prodname_dependabot %} creates pull requests to update dependencies. You may find this useful if you want to: -* Ensure that {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) are created with the right data for your work processes, including labels, names, and reviewers. +* Ensure that {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) are created with the right data for your work processes, including labels and names. * Trigger workflows to send {% data variables.product.prodname_dependabot %} pull requests (version updates and security updates) into your review process or to merge automatically. diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md index ca2ac22734..d97b41840f 100644 --- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -574,8 +574,10 @@ Supported values: `REGISTRY_NAME` or `"*"` ## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} -> [!NOTE] -> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. +> [!IMPORTANT] +> The `reviewers` property is closing down and will be removed in a future release of {% data variables.product.prodname_ghe_server %}. +> +> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). @@ -590,9 +592,6 @@ When `reviewers` is defined: Reviewers must have at least read access to the repository. -> [!NOTE] -> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). - {% endif %} ## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %} diff --git a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md index 2c46b7c736..53a031ac23 100644 --- a/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md +++ b/content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md @@ -30,7 +30,7 @@ shortTitle: Manage Dependabot PRs When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. {% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).{% endif %} -If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request). +If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific assignees and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request). > [!NOTE] > If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates).