From 11bbe78a75353805a648addb501c1ac3ca5022c7 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 15:50:38 +0300 Subject: [PATCH 1/2] Add known case with monorepos For monorepos, tag separated tags don't work with dependabot. Instead, slash separated tags are needed --- .../supported-ecosystems-and-repositories.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index ce6920d47f02..d6d3d45f5912 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -44,3 +44,24 @@ You can configure updates for repositories that contain a dependency manifest or If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} + +### Known issue: Tag format for GitHub Actions in monorepos + +If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. + +- **Dash (-) separator (e.g. my-action-v0.1.0):** + - Dependabot may incorrectly update multiple actions or fail to detect new versions. +- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** + - Dependabot correctly detects and updates each action independently + + **Example**: +```yaml +# Recommended: namespaced with slash +uses: my-org/my-action-a/v0.1.0 + +# Not recommended: dash +uses: my-org/my-action-a-v0.1.0 +``` + +**Recommendation:** +For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. From 6d7770e8c9d30ec6fc7c20cfabf6dade8c10a811 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 16:06:46 +0300 Subject: [PATCH 2/2] Add git-ref bits --- .../supported-ecosystems-and-repositories.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index d6d3d45f5912..5785be5e05ce 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -50,9 +50,9 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. - **Dash (-) separator (e.g. my-action-v0.1.0):** - - Dependabot may incorrectly update multiple actions or fail to detect new versions. + - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. - **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** - - Dependabot correctly detects and updates each action independently + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. **Example**: ```yaml @@ -64,4 +64,4 @@ uses: my-org/my-action-a-v0.1.0 ``` **Recommendation:** -For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. +For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently.