You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no official API to trigger Dependabot manually, e.g. just before release we would like to have everything up-to-date: Manually trigger an update for a specific dependency dependabot/dependabot-core#2980. As that issue states and what we know from our experience, we have to go to the Insights -> Dependency Graph -> Dependabot and click Check for updates on every package-ecosystem for all the supported branches (pulled from the mentioned dependabot.yml).
One of the nice workaround suggested by the community is to make a change to the dependabot.yml file which becomes a trigger for Dependabot scan to run.
I wrote the following GHA Workflow and tested it against real project:
name: Trigger Dependabot Updates
# This workflow is a convenient alternative to the GitHub UI interface for Dependabot updates.
# The workflow performs Toggle executable permission as a superficial change on the dependabot.yml file.
# That is enough for Dependabot to understand that some changes have happened in the dependency updates config.
on:
workflow_dispatch:
jobs:
trigget-dependabot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
show-progress: false
- name: Touch dependabot.yml
run: |
file=".github/dependabot.yml"
# Toggle executable permission as a superficial change
[ -x "$file" ] && chmod -x "$file" || chmod +x "$file"
git config --global user.name 'Spring Builds'
git config --global user.email 'builds@springframework.org'
git commit -am "CI/CD: Trigger dependabot updates"
git push origin
Would be nice to have it as an action in this repository to be reused whenever we want to avoid manual UI clicks.
Dependabot has some limitations:
dependabot.ymlhas to be on adefaultbranch with all the supported branches configs: https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file#where-to-store-the-dependabotyml-fileInsights -> Dependency Graph -> Dependabotand clickCheck for updateson everypackage-ecosystemfor all the supported branches (pulled from the mentioneddependabot.yml).One of the nice workaround suggested by the community is to make a change to the
dependabot.ymlfile which becomes a trigger for Dependabot scan to run.I wrote the following GHA Workflow and tested it against real project:
Would be nice to have it as an action in this repository to be reused whenever we want to avoid manual UI clicks.
Thanks