Add an action to trigger Dependabot updates #55
Description
Dependabot has some limitations:
- The
dependabot.ymlhas to be on adefaultbranch with all the supported branches configs: https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file#where-to-store-the-dependabotyml-file - There is no official API to trigger Dependabot manually, e.g. just before release we would like to have everything up-to-date: Manually trigger an update for a specific dependency dependabot/dependabot-core#2980. As that issue states and what we know from our experience, we have to go to the
Insights -> Dependency Graph -> Dependabotand clickCheck for updateson everypackage-ecosystemfor all the supported branches (pulled from the mentioneddependabot.yml).
One of the nice workaround suggested by the community is to make a change to the dependabot.yml file which becomes a trigger for Dependabot scan to run.
I wrote the following GHA Workflow and tested it against real project:
name: Trigger Dependabot Updates
# This workflow is a convenient alternative to the GitHub UI interface for Dependabot updates.
# The workflow performs Toggle executable permission as a superficial change on the dependabot.yml file.
# That is enough for Dependabot to understand that some changes have happened in the dependency updates config.
on:
workflow_dispatch:
jobs:
trigget-dependabot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
show-progress: false
- name: Touch dependabot.yml
run: |
file=".github/dependabot.yml"
# Toggle executable permission as a superficial change
[ -x "$file" ] && chmod -x "$file" || chmod +x "$file"
git config --global user.name 'Spring Builds'
git config --global user.email 'builds@springframework.org'
git commit -am "CI/CD: Trigger dependabot updates"
git push origin
Would be nice to have it as an action in this repository to be reused whenever we want to avoid manual UI clicks.
Thanks