From 11bbe78a75353805a648addb501c1ac3ca5022c7 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 15:50:38 +0300 Subject: [PATCH 1/8] Add known case with monorepos For monorepos, tag separated tags don't work with dependabot. Instead, slash separated tags are needed --- .../supported-ecosystems-and-repositories.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index ce6920d47f02..d6d3d45f5912 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -44,3 +44,24 @@ You can configure updates for repositories that contain a dependency manifest or If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} + +### Known issue: Tag format for GitHub Actions in monorepos + +If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. + +- **Dash (-) separator (e.g. my-action-v0.1.0):** + - Dependabot may incorrectly update multiple actions or fail to detect new versions. +- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** + - Dependabot correctly detects and updates each action independently + + **Example**: +```yaml +# Recommended: namespaced with slash +uses: my-org/my-action-a/v0.1.0 + +# Not recommended: dash +uses: my-org/my-action-a-v0.1.0 +``` + +**Recommendation:** +For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. From 6d7770e8c9d30ec6fc7c20cfabf6dade8c10a811 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 16:06:46 +0300 Subject: [PATCH 2/8] Add git-ref bits --- .../supported-ecosystems-and-repositories.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index d6d3d45f5912..5785be5e05ce 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -50,9 +50,9 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. - **Dash (-) separator (e.g. my-action-v0.1.0):** - - Dependabot may incorrectly update multiple actions or fail to detect new versions. + - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. - **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** - - Dependabot correctly detects and updates each action independently + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. **Example**: ```yaml @@ -64,4 +64,4 @@ uses: my-org/my-action-a-v0.1.0 ``` **Recommendation:** -For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. +For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. From b273d6d5f581541e8cf94850c430471cb8f345ce Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Thu, 24 Jul 2025 16:23:34 -0500 Subject: [PATCH 3/8] Update tag format guidance for GitHub Actions Clarify tag format recommendations for GitHub Actions in monorepos. --- .../supported-ecosystems-and-repositories.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index 5785be5e05ce..e44ab305142c 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -49,18 +49,18 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. -- **Dash (-) separator (e.g. my-action-v0.1.0):** - - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. -- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** - - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. +- **Dash (-) separator (e.g., `@my-action-v0.1.0`):** + - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. +- **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. - **Example**: +**Example**: ```yaml # Recommended: namespaced with slash -uses: my-org/my-action-a/v0.1.0 +uses: my-org/monorepo/my-action@my-action/v0.1.0 # Not recommended: dash -uses: my-org/my-action-a-v0.1.0 +uses: my-org/monorepo@my-action-v0.1.0 ``` **Recommendation:** From 2645da73e83b61d767f8e7f3d8593387883a084a Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 29 Jul 2025 11:59:42 +0300 Subject: [PATCH 4/8] Update content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md Co-authored-by: Sharra-writes --- .../supported-ecosystems-and-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index e44ab305142c..e5f26f9f0b06 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -49,7 +49,7 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. -- **Dash (-) separator (e.g., `@my-action-v0.1.0`):** +- **Dash (-) separator (for example, `@my-action-v0.1.0`):** - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. - **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. From 81531d567469ac49d81ef6f4aaa4c1c4a3c6606d Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 29 Jul 2025 11:59:49 +0300 Subject: [PATCH 5/8] Update content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md Co-authored-by: Sharra-writes --- .../supported-ecosystems-and-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index e5f26f9f0b06..908ac683f3a1 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -51,7 +51,7 @@ If your repository contains multiple GitHub Actions (for example, in a monorepo) - **Dash (-) separator (for example, `@my-action-v0.1.0`):** - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. -- **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** +- **Slash (`/`) separator (for example, `@my-action/v0.1.0`):** - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. **Example**: From f9dd4b4bbfcf954d497bedbd054c9bbd45ea6996 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 23 Sep 2025 10:20:07 +0300 Subject: [PATCH 6/8] Update content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> --- .../supported-ecosystems-and-repositories.md | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index 908ac683f3a1..de73e15e7a2c 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -45,23 +45,21 @@ If your repository already uses an integration for dependency management, you wi {% data reusables.dependabot.supported-package-managers %} -### Known issue: Tag format for GitHub Actions in monorepos +## Why does {% data variables.product.prodname_dependabot %} sometimes fail to detect or update {% data variables.product.prodname_actions %} versions in monorepos? -If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. +If your repository contains multiple {% data variables.product.prodname_actions %} (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. -- **Dash (-) separator (for example, `@my-action-v0.1.0`):** +- **Dash (`-`) separator** (for example, `@my-action-v0.1.0`): - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. -- **Slash (`/`) separator (for example, `@my-action/v0.1.0`):** +- **Slash (`/`) separator** (for example, `@my-action/v0.1.0`): - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. -**Example**: -```yaml -# Recommended: namespaced with slash -uses: my-org/monorepo/my-action@my-action/v0.1.0 +**Recommendation:** For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. -# Not recommended: dash -uses: my-org/monorepo@my-action-v0.1.0 -``` +* Example: + ```yaml + # Recommended: namespaced with slash + uses: my-org/monorepo/my-action@my-action/v0.1.0 -**Recommendation:** -For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. + # Not recommended: dash + uses: my-org/monorepo@my-action-v0.1.0 From 0848b8017a44f524cac62f8fb5e080483f818035 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 23 Sep 2025 10:34:51 +0300 Subject: [PATCH 7/8] Move to troubleshooting the detection of vulnerable dependencies --- .../supported-ecosystems-and-repositories.md | 19 ------------------ ...he-detection-of-vulnerable-dependencies.md | 20 +++++++++++++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index de73e15e7a2c..ce6920d47f02 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -44,22 +44,3 @@ You can configure updates for repositories that contain a dependency manifest or If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} - -## Why does {% data variables.product.prodname_dependabot %} sometimes fail to detect or update {% data variables.product.prodname_actions %} versions in monorepos? - -If your repository contains multiple {% data variables.product.prodname_actions %} (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. - -- **Dash (`-`) separator** (for example, `@my-action-v0.1.0`): - - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. -- **Slash (`/`) separator** (for example, `@my-action/v0.1.0`): - - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. - -**Recommendation:** For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. - -* Example: - ```yaml - # Recommended: namespaced with slash - uses: my-org/monorepo/my-action@my-action/v0.1.0 - - # Not recommended: dash - uses: my-org/monorepo@my-action-v0.1.0 diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 5073ffcfea98..22ef34e02f3c 100644 --- a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -88,6 +88,26 @@ The {% data variables.product.prodname_dependabot_alerts %} count in {% data var You can configure {% data variables.product.prodname_dependabot %} to ignore specific dependencies in the configuration file, which will prevent security and version updates for those dependencies. If you only wish to use security updates, you will need to override the default behavior with a configuration file. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file) to prevent version updates from being activated. For information about ignoring dependencies, see [Ignoring specific dependencies](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#ignoring-specific-dependencies). + +## Why does {% data variables.product.prodname_dependabot %} sometimes fail to detect or update {% data variables.product.prodname_actions %} versions in monorepos? + +If your repository contains multiple {% data variables.product.prodname_actions %} (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. + +- **Dash (`-`) separator** (for example, `@my-action-v0.1.0`): + - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. +- **Slash (`/`) separator** (for example, `@my-action/v0.1.0`): + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. + +**Recommendation:** For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. + +* Example: + ```yaml + # Recommended: namespaced with slash + uses: my-org/monorepo/my-action@my-action/v0.1.0 + + # Not recommended: dash + uses: my-org/monorepo@my-action-v0.1.0 + ## Further reading * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) From 764b47b86e9908d3891139bdc8361ce896f357a9 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 23 Sep 2025 12:32:36 +0300 Subject: [PATCH 8/8] Close codeblock --- .../troubleshooting-the-detection-of-vulnerable-dependencies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md index 22ef34e02f3c..63400fe9c871 100644 --- a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -107,6 +107,7 @@ If your repository contains multiple {% data variables.product.prodname_actions # Not recommended: dash uses: my-org/monorepo@my-action-v0.1.0 + ``` ## Further reading