Closing Down: Dependabot Reviewers (#56049)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2025-12-19 09:57:42 -05:00 · 2025-06-30 03:12:21 -04:00
parent 586464bf2e
commit a991b53082
4 changed files with 102 additions and 1 deletions
--- a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md
+++ b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md
@@ -44,12 +44,25 @@ For detailed guidance, see [Prioritizing meaningful updates](/code-security/depe

 {% endif %}

+{% ifversion dependabot-reviewers-deprecation %}
+
+## Automatically adding reviewers
+
+To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% else %}
+
 ## Automatically adding reviewers and assignees

+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests.

 For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees).

+{% endif %}
+
 ## Labeling pull requests with custom labels

 To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request.
@@ -79,9 +92,58 @@ For detailed guidance, see [Changing the separator in the pull request branch na
 In this example, the `dependabot.yml` file:
 * Uses a private registry for updates to npm dependencies.
 * Disables version updates for dependencies, so that any customizations apply to security updates only.
-* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds reviewers and assignees.{% ifversion dependabot-grouped-security-updates-config %}
+* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees.{% ifversion dependabot-grouped-security-updates-config %}
 * Groups security updates for golang dependencies into a single pull request.{% endif %}

+{% ifversion dependabot-reviewers-deprecation %}
+
+```yaml copy
+# Example configuration file that:
+#  - Uses a private registry for npm updates
+#  - Ignores lodash dependency
+#  - Disables version-updates
+#  - Applies custom labels
+{% ifversion dependabot-grouped-security-updates-config %}#  - Group security updates for golang dependencies into a single pull request{%- endif %}
+
+version: 2
+registries:
+  # Define a private npm registry with the name `example`
+  example:
+    type: npm-registry
+    url: https://example.com
+    token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %}
+updates:
+  - package-ecosystem: "npm"
+    directory: "/src/npm-project"
+    schedule:
+      interval: "daily"
+    # For Lodash, ignore all updates
+    ignore:
+      - dependency-name: "lodash"
+    # Disable version updates for npm dependencies
+    open-pull-requests-limit: 0
+    registries:
+      # Ask Dependabot to use the private registry for npm
+      - example
+    # Raise all npm pull requests for security updates with custom labels
+    labels:
+      - "npm dependencies"
+      - "triage-board"
+    # Raise all npm pull requests for security updates with assignees
+    assignees:
+      - "user-name"
+  {% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod"
+    groups:
+      # Group security updates for golang dependencies
+      # into a single pull request
+      golang:
+        applies-to: security-updates
+        patterns:
+          - "golang.org*"{% endif %}
+```
+
+{% else %}
+
 ```yaml copy
 # Example configuration file that:
 #  - Uses a private registry for npm updates
@@ -132,6 +194,8 @@ updates:
          - "golang.org*"{% endif %}
 ```

+{% endif %}
+
 ## Example 2: configuration for version updates and security updates

 In this example, the `dependabot.yml` file:
--- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md
+++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md
@@ -19,18 +19,37 @@ shortTitle: Customize Dependabot PRs

 There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes.

+{% ifversion dependabot-reviewers-deprecation %}
+
+For example, to integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows.
+
+{% else %}
+
 For example:
 * To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem.
 * To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows.

+{% endif %}
+
 There are several different customization options which can all be used in combination, and tailored per package ecosystem.

+{% ifversion dependabot-reviewers-deprecation %}
+
+## Automatically adding reviewers
+
+To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% else %}
+
 ## Automatically adding reviewers and assignees

 By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees.

 However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem.

+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have:
 * A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests.
 * An individual ("`user-name`") automatically assigned to the pull requests.
@@ -59,6 +78,8 @@ updates:

 See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--).

+{% endif %}
+
 ## Labeling pull requests with custom labels

 {% data reusables.dependabot.default-labels %}
--- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
+++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
@@ -456,8 +456,13 @@ When `registries` is defined for a package manager:

 Supported values: `REGISTRY_NAME` or `"*"`

+{% ifversion dependabot-reviewers-deprecation %}{% else %}
+
 ## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}

+> [!NOTE]
+> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server.
+
 Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager.  For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs).

 {% data variables.product.prodname_dependabot %} default behavior:
@@ -471,6 +476,11 @@ When `reviewers` is defined:

 Reviewers must have at least read access to the repository.

+> [!NOTE]
+> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners).
+
+{% endif %}
+
 ## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %}

 **Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).
--- a/data/features/dependabot-reviewers-deprecation.yml
+++ b/data/features/dependabot-reviewers-deprecation.yml
@@ -0,0 +1,6 @@
+# Reference: #17818
+# Closing Down: Dependabot Reviewers Feature [Closing Down]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>= 3.19'