Dependabot: dependabot.yml Configuration Reference
Dependabot is configured by a YAML file, not a workflow, and opens dependency-update PRs for you.
Place .github/dependabot.yml to tell Dependabot which package ecosystems to watch, how often, and how to group updates. It also keeps your GitHub Actions versions current.
Key fields
- package-ecosystem: npm, pip, docker, github-actions, and more.
- directory: where the manifest lives.
- schedule.interval: daily, weekly, or monthly.
- groups: bundle related updates into one PR.
- ignore: skip specific dependencies or versions.
- open-pull-requests-limit: cap concurrent update PRs.
Example config
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
groups:
minor-and-patch:
update-types: [minor, patch]
- package-ecosystem: github-actions
directory: /
schedule:
interval: weeklyKeep actions pinned and fresh
The github-actions ecosystem updates the action versions in your workflows, which pairs well with pinning actions to SHAs.
Key takeaways
- dependabot.yml is config, not a workflow file.
- Add the github-actions ecosystem to update action versions.
- Use groups to cut PR noise from many small bumps.
Related guides
actions/stale: Auto-Close Stale Issues & PRsReference for actions/stale: label and close inactive issues and pull requests on a schedule, with day thresh…
peter-evans/create-pull-request: Open PRs from CIReference for peter-evans/create-pull-request: commit workflow-generated changes to a branch and open or upda…
tj-actions/changed-files: List Changed Files in CIReference for tj-actions/changed-files: get the list of files added, modified, or deleted in a push or PR to…