docs: clarify dependency graph/review enabled/default status#44586
docs: clarify dependency graph/review enabled/default status#44586hesreallyhim wants to merge 2 commits into
Conversation
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
Bot
added
the
triage
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the supply-chain security documentation to reflect feature availability and defaults across repository types, while cleaning up formatting and consolidating repeated content.
Changes:
- Consolidates public/private repository feature availability into a single set of bullets.
- Updates descriptions for dependency graph, dependency review, and Dependabot alerts prerequisites.
- Fixes formatting issues (for example, “Immutable releases” bullet formatting) and relocates “Artifact attestations” into the shared list.
| * **Dependency graph:** Enabled by default and cannot be disabled. | ||
| * **Dependency review:** Enabled by default and cannot be disabled. | ||
| * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. | ||
| * **Dependency graph:** Not enabled by default. Available for public and private repositories, and can be enabled or disabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). |
There was a problem hiding this comment.
This change is intentional, and is the primary purpose of the PR - the distinction between public and private repos appears to represent outdated policy.
There was a problem hiding this comment.
yet but I think I would be so
| * **Dependency review:** Enabled by default and cannot be disabled. | ||
| * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. | ||
| * **Dependency graph:** Not enabled by default. Available for public and private repositories, and can be enabled or disabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). | ||
| * **Dependency review:** Available when the dependency graph is enabled. For private repositories, the repository must also be owned by an organization that uses {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} and has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). |
There was a problem hiding this comment.
The links used were preserved from the pre-existing documentation
| * **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | ||
| * **Immutable releases*:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/preventing-changes-to-your-releases). | ||
| * **Immutable releases:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/preventing-changes-to-your-releases). | ||
| * **Artifact attestations:** Available in all public repositories, but you must explicitly generate attestations in your build workflows. Only available in private repositories on {% data variables.product.prodname_ghe_cloud %}. See [AUTOTITLE](/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). |
There was a problem hiding this comment.
I'm happy to accept this suggestion if sub-bullets are preferred.
yes |
Summary of issue: this document/section (https://docs.github.com/en/code-security/concepts/supply-chain-security/about-supply-chain-security#feature-availability) states:
This appears to be stale information, given other references cited in the issue mentioned below, and in particular two GitHub changelog/announcements (https://github.blog/changelog/2025-05-15-users-can-now-disable-dependency-graph-for-public-repositories/) and (https://github.blog/changelog/2025-06-17-dependency-graph-now-defaults-to-off/), the more recent of which states:
Why:
Closes: #44585
What's being changed (if available, include any code snippets, screenshots, or gifs):
I'm submitting a change to a single doc that appears to have missed the changes made after the announcements cited above. Rather than correcting individual lines that are now false, I am proposing that the whole section, which is broken into Public, Private, and Any, be condensed, since the distinction between public and private is now significantly reduced. (More citations can be found in the linked issue.)
There is another document which contains this same error, but it is outside of the
contentdirectory, so I didn't know if I should touch it:data/reusables/gated-features/dependency-graph.md:I also made a change to a formatting error affecting the "Immutable Releases" item, which had an extra
*, creating this visual bug:Check off the following: