Configuring Dependabot with Reusable Workflows #139004
Pinned
joshjohanning
started this conversation in
Discover
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Overview
We can already use Dependabot Version Updates for keeping marketplace actions (in addition to internal/private actions) up to date. However, did you know we can use Dependabot for keeping Reusable Workflows up to date as well?
Authorization Options
If you are referring to reusable workflows that are public, the implementation is easy. More likely though, especially if you're in an organization creating reusable workflows to standardize on CI/CD practices, you are going to be working with non-public repositories containing your reusable workflows.
There are two ways that you can configure Dependabot when working with resources in internal or private repositories. To summarize, you can either:
Tip
Configurations
Approach 1: Grant Access to Dependabot in the UI
For the first approach (authorizing Dependabot access manually), the YML configuration is no different than if you were using Dependabot to keep marketplace actions up to date.
You will then have to check your Dependabot run logs to authorize Dependabot for that repository (or add it via the organization settings):
Once you grant Dependabot access to the repository, you will see it show up in organization settings –> Code security and analysis –> Grant Dependabot access to private repositories. Additional repositories can be added here:
Approach 2: Using a Dependabot Secret
For the second option (using a Dependabot secret), you will need to add the
registries
property to the YML configuration. Theregistries
will referencetype: git
and use a Dependabot Secret (preferably an org-level Dependabot secret):Note
You can create a Dependabot secret at the organization level or repository level.
Results
If things are working properly, you should see a successful run in your Dependabot run logs:
And if there is a new semver version of a reusable workflow, you should see a Dependabot-created pull request:
Tip
Pro-tip: You can reply
@dependabot merge
or@dependabot squash and merge
(among other commands) to tell Dependabot to merge the pull request.Summary
Now we can create and properly version reusable workflows AND have our downstream users automatically be notified of version updates. This helps a ton in making it front and center for developers that there's an update they need to look at! 🎉
Beta Was this translation helpful? Give feedback.
All reactions