From 6fa214e016aeb68b39675606096fb0c87433a519 Mon Sep 17 00:00:00 2001 From: Rob Aiken Date: Fri, 12 Dec 2025 18:30:57 +0000 Subject: [PATCH] Adding docs for OpenTofu and Julia (#58795) Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com> --- .../dependabot-options-reference.md | 12 +++++ .../dependabot-community-ecosystems.yml | 6 +++ data/features/dependabot-julia-support.yml | 6 +++ data/features/dependabot-opentofu-support.yml | 6 +++ .../dependabot/community-maintained-intro.md | 1 + .../dependabot/supported-package-managers.md | 46 ++++++++++++++++--- .../supported-package-ecosystems.md | 25 ++++++++++ 7 files changed, 96 insertions(+), 6 deletions(-) create mode 100644 data/features/dependabot-community-ecosystems.yml create mode 100644 data/features/dependabot-julia-support.yml create mode 100644 data/features/dependabot-opentofu-support.yml create mode 100644 data/reusables/dependabot/community-maintained-intro.md diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md index 0f26ff5ab3..7edb8c20dd 100644 --- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -223,9 +223,15 @@ The table below shows the package managers for which SemVer is supported. | Gradle | {% octicon "check" aria-label="Supported" %} | | Helm | {% octicon "x" aria-label="Not supported" %} | | Hex (Hex) | {% octicon "check" aria-label="Supported" %} | +| {% ifversion dependabot-julia-support %} | +| Julia | {% octicon "check" aria-label="Supported" %} | +| {% endif %} | | Maven | {% octicon "check" aria-label="Supported" %} | | NPM and Yarn | {% octicon "check" aria-label="Supported" %} | | NuGet | {% octicon "check" aria-label="Supported" %} | +| {% ifversion dependabot-opentofu-support %} | +| OpenTofu | {% octicon "check" aria-label="Supported" %} | +| {% endif %} | | Pip | {% octicon "check" aria-label="Supported" %} | | Pub | {% octicon "check" aria-label="Supported" %} | | Swift | {% octicon "check" aria-label="Supported" %} | @@ -502,6 +508,9 @@ Package manager | YAML value | Supported versions | | Helm Charts | `helm` | v3 | | {% endif %} | | Hex | `mix` | v1 | +| {% ifversion dependabot-julia-support %} | +| Julia | `julia` | >=v1.10 | +| {% endif %} | | elm-package | `elm` | v0.19 | | git submodule | `gitsubmodule` | Not applicable | | {% data variables.product.prodname_actions %} | `github-actions` | Not applicable | @@ -510,6 +519,9 @@ Package manager | YAML value | Supported versions | | Maven | `maven` | Not applicable | | npm | `npm` | v7, v8, v9, v10 | | NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | +| {% ifversion dependabot-opentofu-support %} | +| OpenTofu | `opentofu` | Not applicable | +| {% endif %} | | pip| `pip` | v24.2 | | pip-compile | `pip` | 7.4.1 | | pipenv | `pip` | <= 2024.4.1 | diff --git a/data/features/dependabot-community-ecosystems.yml b/data/features/dependabot-community-ecosystems.yml new file mode 100644 index 0000000000..17d0869222 --- /dev/null +++ b/data/features/dependabot-community-ecosystems.yml @@ -0,0 +1,6 @@ +# Reference: #20647 +# Adding community ecosystems to Dependabot docs #20647 +versions: + fpt: '*' + ghec: '*' + ghes: '> 3.19' diff --git a/data/features/dependabot-julia-support.yml b/data/features/dependabot-julia-support.yml new file mode 100644 index 0000000000..bbe849d53b --- /dev/null +++ b/data/features/dependabot-julia-support.yml @@ -0,0 +1,6 @@ +# Reference: #20205 +# Dependabot version updates now support Julia +versions: + fpt: '*' + ghec: '*' + ghes: '> 3.19' diff --git a/data/features/dependabot-opentofu-support.yml b/data/features/dependabot-opentofu-support.yml new file mode 100644 index 0000000000..c552dfec61 --- /dev/null +++ b/data/features/dependabot-opentofu-support.yml @@ -0,0 +1,6 @@ +# Reference: #20650 +# OpenTofu support for Dependabot +versions: + fpt: '*' + ghec: '*' + ghes: '> 3.19' diff --git a/data/reusables/dependabot/community-maintained-intro.md b/data/reusables/dependabot/community-maintained-intro.md new file mode 100644 index 0000000000..3ada7ee517 --- /dev/null +++ b/data/reusables/dependabot/community-maintained-intro.md @@ -0,0 +1 @@ +The following ecosystems are maintained by their upstream community maintainers. {% data variables.product.github %} integrates {% data variables.product.prodname_dependabot %} with these ecosystems but does not maintain them directly. diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 517ea5b4ee..aa0ce6274e 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -24,6 +24,9 @@ Composer | `composer` | {% ifversion dependabot-updates-composerv1-c | {% endif %} | [Helm Charts](#helm-charts) | `helm` | {% ifversion dependabot-helm-support %}v3{% else %}Not supported{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | Not applicable | Hex | `mix` | v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| {% ifversion dependabot-julia-support %} | +[Julia](#julia) | `julia` | >=v1.10 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | +| {% endif %} | elm-package | `elm` | v0.19 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | git submodule | `gitsubmodule` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable | [{% data variables.product.prodname_actions %}](#github-actions) | `github-actions` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable | @@ -32,6 +35,9 @@ Go modules | `gomod` | v1 | {% octicon "check" aria-l [Maven](#maven) | `maven` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | npm | `npm` | v7, v8, v9, v10, v11 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | [NuGet](#nuget-cli) | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| {% ifversion dependabot-opentofu-support %} | +[OpenTofu](#opentofu) | `opentofu` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | +| {% endif %} | [pip](#pip-and-pip-compile) | `pip` | v21.1.2 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | pipenv | `pip` | <= 2021-05-29 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | [pip-compile](#pip-and-pip-compile) | `pip` | 6.1.0 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | @@ -165,12 +171,6 @@ pnpm is supported for {% data variables.product.prodname_dependabot_version_upda The PEP 621 `project` section isn't currently supported for `poetry`. -#### pub - -{% data variables.product.prodname_dependabot %} won't perform an update for `pub` when the version that it tries to update to is ignored, even if an earlier version is available. - -You can use {% data variables.product.prodname_dependabot %} to keep Dart dependencies up-to-date if you use private hosted pub repositories. For information about allowing {% data variables.product.prodname_dependabot %} to access private {% data variables.product.prodname_dotcom %} dependencies, see [Allowing {% data variables.product.prodname_dependabot %} to access private dependencies](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies). - {% ifversion dependabot-rust-toolchain-support %} #### Rust toolchain @@ -206,3 +206,37 @@ vcpkg support includes updating the `builtin-baseline` commit SHA from the vcpkg #### yarn Dependabot supports vendored dependencies for v2 onwards. + +{% ifversion dependabot-community-ecosystems %} + +### Community-maintained ecosystems + +{% data reusables.dependabot.community-maintained-intro %} {% ifversion dependabot-julia-support %} + +* [Julia](#julia) - Maintained by the Julia community{% endif %}{% ifversion dependabot-julia-support %} +* [OpenTofu](#opentofu) - Maintained by the OpenTofu community{% endif %} +* [Pub](#pub) - Maintained by The Dart Community + +{% ifversion dependabot-julia-support %} + +#### Julia + +{% data variables.product.prodname_dependabot %} supports Julia projects that include `Project.toml`/`Manifest.toml` files. {% data variables.product.prodname_dependabot %} uses Julia's package manager to resolve and update dependencies. + +{% endif %} + +{% ifversion dependabot-opentofu-support %} + +#### OpenTofu + +{% data variables.product.prodname_dependabot %} supports updating OpenTofu modules and providers in `.tf` and `.tofu` configuration files, including `terragrunt.hcl` files. If the `.terraform.lock.hcl` lockfile for provider checksums is present, {% data variables.product.prodname_dependabot %} will also update it. + +{% endif %} + +{% endif %} + +#### Pub + +{% data variables.product.prodname_dependabot %} won't perform an update for `pub` when the version that it tries to update to is ignored, even if an earlier version is available. + +You can use {% data variables.product.prodname_dependabot %} to keep Dart dependencies up-to-date if you use private hosted pub repositories. For information about allowing {% data variables.product.prodname_dependabot %} to access private {% data variables.product.prodname_dotcom %} dependencies, see [Allowing {% data variables.product.prodname_dependabot %} to access private dependencies](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies). diff --git a/data/reusables/dependency-graph/supported-package-ecosystems.md b/data/reusables/dependency-graph/supported-package-ecosystems.md index f97dd89612..faba07342c 100644 --- a/data/reusables/dependency-graph/supported-package-ecosystems.md +++ b/data/reusables/dependency-graph/supported-package-ecosystems.md @@ -9,8 +9,14 @@ | {% data variables.product.prodname_actions %} workflows | YAML | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `.yml`, `.yaml` | {% octicon "x" aria-label="None" %} | | Go modules | Go | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `go.mod`| {% octicon "x" aria-label="None" %} | | Gradle | Java | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="None" %} | {% octicon "x" aria-label="None" %} | +| {% ifversion dependabot-julia-support %} | +| Julia | Julia | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `Manifest.toml` | `Project.toml` | +| {% endif %} | | Maven | Java, Scala | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | `pom.xml` | {% octicon "x" aria-label="None" %} | | npm | JavaScript | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | `package-lock.json` | `package.json`| +| {% ifversion dependabot-opentofu-support %} | +| OpenTofu | HCL | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `.terraform.lock.hcl` | `.tf`, `.tofu` | +| {% endif %} | | pip | Python | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | `requirements.txt`, `pipfile.lock` | `pipfile`, `setup.py` | | pnpm | JavaScript | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | `pnpm-lock.yaml` | `package.json` | | pub | Dart | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | `pubspec.lock` | `pubspec.yaml` | @@ -20,7 +26,26 @@ | Yarn | JavaScript | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | `yarn.lock` | `package.json` | > [!NOTE]{% ifversion transitive-dependency-labeling-npm %} +> > * The **Static transitive dependencies** column indicates whether static analysis will add `direct` and `transitive` labels for dependent packages in that ecosystem. Dependency submission actions (automatic or manually configured) can add transitive information for ecosystems where static analysis cannot. {% endif %} > * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project. > * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). > * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates). + +{% ifversion dependabot-community-ecosystems %} + +### Community-maintained ecosystems + +{% data reusables.dependabot.community-maintained-intro %} + +| Ecosystem | Maintained by | +| --- | --- | +| {% ifversion dependabot-julia-support %} | +| Julia | Julia community | +| {% endif %} | +| {% ifversion dependabot-opentofu-support %} | +| OpenTofu | OpenTofu community | +| {% endif %} | +| pub | Dart community | + +{% endif %}