Github dependabot : How to run analysis on the another branch

About

Asked 21/1, 2022 at 6:11 Answered 28/11, 2023 at 2:56

How do I run the dependabot against the feature branches?

What I'm trying to do, is to find the vulnerabilities of the third-party packages, not yet in the default branch, before deploying them.

Here is my dependabot.yml file configuration which is stored in the .github directory

version: 2
updates:
- package-ecosystem: npm
  directory: "/"
  schedule:
    interval: "daily"
  open-pull-requests-limit: 10
  # Only allow updates to the lockfile
  versioning-strategy: lockfile-only
  target-branch: feat/IDPDI-1441

But when I pushed still the dependabot is running against the master branch not in feature branch

If it is relevant, my application is an angular application.

Lipolysis answered 21/1, 2022 at 6:11 Comment(2)

Have you tried putting your target branch in to double-quotes, like target-branch: "feat/IDPDI-1441" ? According to documentation it has to be in double quotes. At least it works for me like this. And you can see any log errors if you click in Github while in your project to Insights>Dependancy Graph>Dependancies>View Dependabot alerts. And from the Dependabot tab>click on the .josn file to trigger a new check. – Moke 14/4, 2022 at 11:5

did you resolve this? double quotes does not work for me and it still loads from master branch – Waterbuck 21/6, 2022 at 4:38

Checking the documentation for dependabot.yml there does not seem to be a suitable option for this.

One workaround, would be to fork your repo and keep the feature branch as main branch of the forked repository. Dependabot will work just as on your main github repo.

There is also the dependabot-cli which could probably be configured to run as a GH action.

Linage answered 28/11, 2023 at 2:56 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags