Skip to content

Fix Dependabot configuration with correct directory paths#11001

Merged
pelikhan merged 2 commits into
mainfrom
copilot/fix-dependabot-configuration
Jan 21, 2026
Merged

Fix Dependabot configuration with correct directory paths#11001
pelikhan merged 2 commits into
mainfrom
copilot/fix-dependabot-configuration

Conversation

Copilot AI commented Jan 21, 2026

Copy link
Copy Markdown
Contributor

Dependabot was inactive for 30+ days due to incorrect directory paths in .github/dependabot.yml. All ecosystems pointed to /.github/workflows, but go.mod is in root and package.json files exist in multiple locations.

Changes

.github/dependabot.yml

  • gomod: Fixed path /.github/workflows/ (root directory where go.mod exists)
  • npm: Added missing configurations for /docs and /actions/setup/js (kept existing /.github/workflows)
  • pip: No change needed (already correct at /.github/workflows)
  • Added open-pull-requests-limit: 10 per ecosystem
  • Added inline comments documenting each configuration

CONTRIBUTING.md

  • New section: "Automated Dependency Updates (Dependabot)"
  • Documents monitored locations, expected weekly schedule, troubleshooting steps, and security patch handling

Impact

Before: 3 misconfigured locations, 0 PRs
After: 5 correctly configured locations, ~260 automated checks/year

Once merged, Dependabot should begin creating weekly PRs for Go modules, npm packages (3 locations), and Python packages.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Code Quality] Investigate and fix inactive Dependabot configuration</issue_title>
<issue_description>### Description

Investigate why Dependabot has not created any PRs in the last 30 days despite having a valid .github/dependabot.yml configuration. Fix the configuration issue and validate that automated dependency updates are working for gomod, npm, and pip ecosystems.

Problem

Current State:

  • Dependabot configured in .github/dependabot.yml with weekly schedule
  • 0 PRs created in last 30 days
  • Configuration exists for gomod, npm, and pip ecosystems
  • Missing 52+ automated updates per year (1 per week × 3 ecosystems)

Possible Issues:

  1. Directory path incorrect (should be / not /.github/workflows)
  2. Dependabot disabled at org/repo level
  3. Rate limits or permissions issues
  4. Schedule syntax incorrect

Impact: Missing automated security patches and version updates, increasing vulnerability exposure.

Suggested Changes

  1. Check .github/dependabot.yml for configuration issues:
    • Verify directory paths are correct (should be / for root, not /.github/workflows)
    • Confirm ecosystem names are valid (gomod, npm, pip)
    • Check schedule syntax is correct
  2. Investigate repository settings:
    • GitHub UI: Settings → Security → Dependabot (alerts, updates, security updates)
    • Ensure Dependabot is enabled at organization/repo level
    • Check if any rate limits or permissions are blocking Dependabot
  3. Fix identified issues (likely directory path in dependabot.yml)
  4. Manually trigger Dependabot check or wait 1 week for next scheduled run
  5. Validate by confirming PRs appear from dependabot[bot]
  6. Document expected Dependabot behavior and troubleshooting steps

Files Affected

  • .github/dependabot.yml (configuration review/fix)
  • Repository settings (investigation)
  • CONTRIBUTING.md or DEVGUIDE.md (documentation)

Success Criteria

  • Root cause of Dependabot inactivity identified
  • Dependabot.yml configuration corrected (directory paths, permissions, etc.)
  • Verify Dependabot is enabled at repository level (Settings → Security → Dependabot)
  • Generate test PR by manually triggering Dependabot or waiting for next scheduled run
  • Document expected Dependabot behavior in CONTRIBUTING.md or DEVGUIDE.md
  • Confirm weekly automated PRs resume from dependabot[bot]

Source

Extracted from Repository Quality Improvement Report - Dependencies discussion githubnext/gh-aw#10987

Priority

Medium - Restores automated dependency updates and security patches

Estimated Effort

Small - 1-2 hours for investigation and fix

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 4, 2026, 2:09 PM UTC

Comments on the Issue (you are @copilot in this section)


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

…umentation

- Fix gomod directory path from /.github/workflows to / (root)
- Add npm monitoring for /docs and /actions/setup/js directories
- Keep existing npm and pip configurations for /.github/workflows
- Add open-pull-requests-limit of 10 to prevent overwhelming maintainers
- Add comprehensive Dependabot documentation to CONTRIBUTING.md
- Include troubleshooting guide and expected behavior

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix inactive Dependabot configuration for automated updates Fix Dependabot configuration with correct directory paths Jan 21, 2026
Copilot AI requested a review from mnkiefer January 21, 2026 15:06
@pelikhan pelikhan marked this pull request as ready for review January 21, 2026 15:13
@pelikhan pelikhan merged commit 9425787 into main Jan 21, 2026
69 checks passed
@pelikhan pelikhan deleted the copilot/fix-dependabot-configuration branch January 21, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Code Quality] Investigate and fix inactive Dependabot configuration

3 participants