From a991b530825707db579ce67d0df62e9e41a8b18d Mon Sep 17 00:00:00 2001 From: John Clement <70238417+jclement136@users.noreply.github.com> Date: Mon, 30 Jun 2025 03:12:21 -0400 Subject: [PATCH] Closing Down: Dependabot Reviewers (#56049) Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../customizing-dependabot-security-prs.md | 66 ++++++++++++++++++- .../customizing-dependabot-prs.md | 21 ++++++ .../dependabot-options-reference.md | 10 +++ .../dependabot-reviewers-deprecation.yml | 6 ++ 4 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 data/features/dependabot-reviewers-deprecation.yml diff --git a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md index 4805750008..b2b5f0587e 100644 --- a/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md +++ b/content/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs.md @@ -44,12 +44,25 @@ For detailed guidance, see [Prioritizing meaningful updates](/code-security/depe {% endif %} +{% ifversion dependabot-reviewers-deprecation %} + +## Automatically adding reviewers + +To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). + +{% else %} + ## Automatically adding reviewers and assignees +> [!NOTE] +> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. + To ensure your project's security updates get **addressed promptly** by the appropriate team, use `reviewers` and `assignees` to automatically add individuals or teams as **reviewers or assignees** to pull requests. For detailed guidance, see [Automatically adding reviewers and assignees](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#automatically-adding-reviewers-and-assignees). +{% endif %} + ## Labeling pull requests with custom labels To **prioritize** specific pull requests, or integrate them into CI/CD pipelines, use `labels` to apply your own **custom labels** to each pull request. @@ -79,9 +92,58 @@ For detailed guidance, see [Changing the separator in the pull request branch na In this example, the `dependabot.yml` file: * Uses a private registry for updates to npm dependencies. * Disables version updates for dependencies, so that any customizations apply to security updates only. -* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds reviewers and assignees.{% ifversion dependabot-grouped-security-updates-config %} +* Is customized so that {% data variables.product.prodname_dependabot %} applies custom labels to the pull requests and automatically adds {% ifversion ghes < 3.19 %}reviewers and {% endif %}assignees.{% ifversion dependabot-grouped-security-updates-config %} * Groups security updates for golang dependencies into a single pull request.{% endif %} +{% ifversion dependabot-reviewers-deprecation %} + +```yaml copy +# Example configuration file that: +# - Uses a private registry for npm updates +# - Ignores lodash dependency +# - Disables version-updates +# - Applies custom labels +{% ifversion dependabot-grouped-security-updates-config %}# - Group security updates for golang dependencies into a single pull request{%- endif %} + +version: 2 +registries: + # Define a private npm registry with the name `example` + example: + type: npm-registry + url: https://example.com + token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %} +updates: + - package-ecosystem: "npm" + directory: "/src/npm-project" + schedule: + interval: "daily" + # For Lodash, ignore all updates + ignore: + - dependency-name: "lodash" + # Disable version updates for npm dependencies + open-pull-requests-limit: 0 + registries: + # Ask Dependabot to use the private registry for npm + - example + # Raise all npm pull requests for security updates with custom labels + labels: + - "npm dependencies" + - "triage-board" + # Raise all npm pull requests for security updates with assignees + assignees: + - "user-name" + {% ifversion dependabot-grouped-security-updates-config %}- package-ecosystem: "gomod" + groups: + # Group security updates for golang dependencies + # into a single pull request + golang: + applies-to: security-updates + patterns: + - "golang.org*"{% endif %} +``` + +{% else %} + ```yaml copy # Example configuration file that: # - Uses a private registry for npm updates @@ -132,6 +194,8 @@ updates: - "golang.org*"{% endif %} ``` +{% endif %} + ## Example 2: configuration for version updates and security updates In this example, the `dependabot.yml` file: diff --git a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md index 134cbee26b..6d24acbe70 100644 --- a/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md +++ b/content/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs.md @@ -19,18 +19,37 @@ shortTitle: Customize Dependabot PRs There are various ways to customize your {% data variables.product.prodname_dependabot %} pull requests so that they better suit your own internal processes. +{% ifversion dependabot-reviewers-deprecation %} + +For example, to integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. + +{% else %} + For example: * To maximize efficiency, {% data variables.product.prodname_dependabot %} can automatically add specific individuals or teams as **reviewers** to its pull requests for a particular package ecosystem. * To integrate {% data variables.product.prodname_dependabot %}'s pull requests into your CI/CD pipelines, it can apply **custom labels** to pull requests, which you can then use to trigger action workflows. +{% endif %} + There are several different customization options which can all be used in combination, and tailored per package ecosystem. +{% ifversion dependabot-reviewers-deprecation %} + +## Automatically adding reviewers + +To ensure your project's security updates get addressed promptly by the appropriate team, you can automatically add reviewers to Dependabot pull requests using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). + +{% else %} + ## Automatically adding reviewers and assignees By default, {% data variables.product.prodname_dependabot %} raises pull requests without any reviewers or assignees. However, you may want pull requests to be consistently reviewed or dealt with by a specific individual or team that has expertise in that package ecosystem, or automatically assigned to a designated security team. In which case, you can use `reviewers` and `assignees` to set these values per package ecosystem. +> [!NOTE] +> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. + The example `dependabot.yml` file below changes the npm configuration so that all pull requests opened with version and security updates for npm have: * A team ("`my-org/team-name`") and an individual ("`octocat`") automatically added as reviewers to the pull requests. * An individual ("`user-name`") automatically assigned to the pull requests. @@ -59,6 +78,8 @@ updates: See also [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) and [`reviewers`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#reviewers--). +{% endif %} + ## Labeling pull requests with custom labels {% data reusables.dependabot.default-labels %} diff --git a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md index 428371fca0..bf333cd4da 100644 --- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md +++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md @@ -456,8 +456,13 @@ When `registries` is defined for a package manager: Supported values: `REGISTRY_NAME` or `"*"` +{% ifversion dependabot-reviewers-deprecation %}{% else %} + ## `reviewers` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %} +> [!NOTE] +> The `reviewers` property is closing down and will be removed in a future release of GitHub Enterprise Server. + Specify individual reviewers, or teams of reviewers, for all pull requests raised for a package manager. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs). {% data variables.product.prodname_dependabot %} default behavior: @@ -471,6 +476,11 @@ When `reviewers` is defined: Reviewers must have at least read access to the repository. +> [!NOTE] +> You can also automatically add reviewers and assignees using a CODEOWNERS file. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners). + +{% endif %} + ## `schedule` {% octicon "versions" aria-label="Version updates only" height="24" %} **Required option.** Define how often to check for new versions for each package manager you configure using the `interval` parameter. Optionally, for daily and weekly intervals, you can customize when {% data variables.product.prodname_dependabot %} checks for updates. For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates). diff --git a/data/features/dependabot-reviewers-deprecation.yml b/data/features/dependabot-reviewers-deprecation.yml new file mode 100644 index 0000000000..beaa2017ed --- /dev/null +++ b/data/features/dependabot-reviewers-deprecation.yml @@ -0,0 +1,6 @@ +# Reference: #17818 +# Closing Down: Dependabot Reviewers Feature [Closing Down] +versions: + fpt: '*' + ghec: '*' + ghes: '>= 3.19'