Skip to content

Create Dependabot Config #4

Create Dependabot Config

Create Dependabot Config #4

name: Create Dependabot Config
on:
push:
paths:
- '.github/workflows/create-dependabot.yml'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
create-dependabot:
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate expected hash
id: hash
run: |
EXPECTED_CONTENT='# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# NuGet dependencies
- package-ecosystem: "nuget"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "nuget"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
# npm dependencies
- package-ecosystem: "npm"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "npm"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
# Docker dependencies
- package-ecosystem: "docker"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "docker"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "github-actions"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
# Python (pip) dependencies
- package-ecosystem: "pip"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "pip"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
# Terraform dependencies
- package-ecosystem: "terraform"
directory: "**/*"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Europe/London"
open-pull-requests-limit: 1
groups:
patch-and-minor:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "terraform"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]'
echo "EXPECTED_CONTENT<<EOF" >> $GITHUB_ENV
echo "$EXPECTED_CONTENT" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
EXPECTED_HASH=$(echo "$EXPECTED_CONTENT" | sha256sum | cut -d' ' -f1)
echo "expected=$EXPECTED_HASH" >> $GITHUB_OUTPUT
if [ -f ".github/dependabot.yml" ]; then
CURRENT_HASH=$(cat .github/dependabot.yml | sha256sum | cut -d' ' -f1)
echo "current=$CURRENT_HASH" >> $GITHUB_OUTPUT
else
echo "current=none" >> $GITHUB_OUTPUT
fi
- name: Create or update dependabot.yml
id: create-dependabot
if: steps.hash.outputs.current != steps.hash.outputs.expected
run: |
# Create a new branch
BRANCH_NAME="feature/update-dependabot-config-$(date +%s)"
git checkout -b $BRANCH_NAME
mkdir -p .github
echo "$EXPECTED_CONTENT" > .github/dependabot.yml
# Stage and commit the changes
git add .github/dependabot.yml
git commit -m "Add or update dependabot.yml configuration"
# Push the branch
git push origin $BRANCH_NAME
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
- name: Create Pull Request
if: steps.hash.outputs.current != steps.hash.outputs.expected
uses: peter-evans/create-pull-request@v7
with:
token: ${{ github.token }}
title: "Add or update dependabot.yml configuration"
body: |
This PR adds or updates the dependabot.yml configuration file to ensure automated dependency updates are properly configured.
## Configuration Details
Common settings across all ecosystems:
- Weekly updates every Monday at 09:00 (Europe/London)
- Maximum of 1 open PR at a time
- Groups patch and minor updates together
- Ignores major version updates
- Adds ecosystem-specific labels
### Configured Package Ecosystems:
1. **NuGet (.NET)**
- Label: `dependencies`, `nuget`
- Updates all dependencies
2. **npm (Node.js)**
- Label: `dependencies`, `npm`
- Updates all dependencies
3. **Docker**
- Label: `dependencies`, `docker`
- Updates all container images
4. **GitHub Actions**
- Label: `dependencies`, `github-actions`
- Updates all workflow actions
5. **Python (pip)**
- Label: `dependencies`, `pip`
- Updates all Python packages
6. **Terraform**
- Label: `dependencies`, `terraform`
- Updates all providers and modules
### Update Strategy
- Groups updates by patch and minor versions to reduce PR noise
- Major version updates are excluded to prevent breaking changes
- Each ecosystem has its own label for better visibility
branch: ${{ steps.create-dependabot.outputs.branch_name }}
base: main
delete-branch: true
labels: |
automation
dependabot