Login/Register
How to disable or ignore Dependabot pull requests?
Asked Answered
githubazure-devopsdependabot
T

2

10

We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds).

There is no clear hint in the docs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) to do this. We already tried to exclude dependabot branches, but that does not work in any form.

# Azure DevOps Excludes
pr:
  autoCancel: "true"
  branches:
    exclude:
    - dependabot/*
    - dependabot/**/*

We also found the hint on Stack Overflow to set the limit to 0, but still PRs are created

version: 2
updates:
  - directory: "/"
    open-pull-requests-limit: 0

Any possibility to use Dependabot just as information source?

Tardy answered 5/6, 2022 at 13:14 Comment(0)
F
3

  1. Go to Security -> Dependabot -> Configure -> Manage Repository Vulnerability Settings. (This should take you to a URL like https://github.com/yourusername/yourreponame/settings/security_analysis.)

  2. Leave the "Dependabot alerts" setting enabled but ensure the "Dependabot version updates" setting is disabled.

    If you've previously enabled "Dependabot version updates", you'll have a .github/dependabot.yml file in your repo, whose purpose is to configure Dependabot's automatic updates. To disable them, delete dependabot.yml.

In pictures:

Screenshot showing step 1 above

Screenshot showing step 2 above

You will now still be able to view security alerts about your dependencies on GitHub, but Dependabot will not open PRs for them.

Fitment answered 13/11, 2022 at 14:9 Comment(0)
M
0

By default, Dependabot will automatically reset pull requests to resolve any conflicts. If you prefer to handle merge conflicts manually, you can disable this feature with the rebase-strategy option.

For rebase strategies, using disabled to disable automatic rebasing.

Setting this option will also affect pull requests for security updates to this package manager's manifest file, unless you use target-branch to check for version updates on non-default branches.

For rebase-strategy example,

version: 2

updates:

  - directory: "/"

    schedule:

      interval: "daily"

    # Disable Dependabot pull requests

    rebase-strategy: "disabled"
Morganne answered 14/6, 2022 at 5:9 Comment(1)
thanks for your reply. I have tested this for a week now. But dependabot still creates pull requests and triggers automated builds, also with "disabled rebase strategy". Thats my yaml: gist.github.com/BenjaminAbt/c2d691d2cb7dd014b671e33598506dfbTardy

© 2022 - 2024 — McMap. All rights reserved.