Skip to main content
University of California San Francisco Give to UCSF

UCSF IT Technology

Main navigation

  • About Us
    • About Us
    • Mission Areas
    • IT Directory
    • Standards and Guidelines
  • Services
    • Services
    • Status
    • Security Announcements
  • Initiatives
    • Initiatives
    • AI at UCSF
    • IT Operating Model (ITOM)
    • Project One
    • Lift & Shift | Drupal 7-to-Drupal 10 Update Project
    • Digital Accessibility Compliance Project
    • Zoom Workspace
  • News & Events
    • News & Events
  • How-To Articles
  • Log In
Open Close Search
Open menu
Give to UCSF

Breadcrumb

  1. Home
  2. How To
  3. Dependabot In UCSF GitHub Enterprise

This content is viewable by Everyone

Dependabot in UCSF GitHub Enterprise

Save

Log in via MyAccess to save.

  • Audience: Affiliate, Communicator, Department Administrator, Faculty, Grant Writer, Institution Administrator, Lab Manager, New Hire, Non-Faculty Academic, Nurse, Physician, Postdoc, Principal Investigator (PI), Research Staff, Researcher, Staff, Student, Technical Partner, Trainee & Learner, Volunteer
  • Service Category: Business Applications
  • Owner Team: Developer Experience Team
  • Service:
    GitHub Enterprise Server (On-Premises)

Quick Setup (Start Here)

  • ✅ Org Admins

    • Enable enterprise-wide Dependabot features

    • Configure Dependabot runner access

  • 📦 Repo Admins

    • Turn on Dependency Graph + Dependabot Alerts

    • Add .github/dependabot.yml

  • 👩‍💻 Developers

    • Review Dependabot PRs

    • Customize CI/CD for Dependabot PRs (optional)

    • Adjust notification settings

  • What even is Dependabot?
  • The Three Pillars of Dependabot
  • Customizing Dependabot PR Workflows
  • Tip: Check your Notification Settings
  • References

Org Admin Tasks (Do Once per Org)

1. Enable enterprise-wide features

  • Go to Org Settings → Advanced Security → Configurations

  • Apply Enterprise-wide Dependabot to all repositories
     

    screenshot: the user is selecting to apply the Enterprise-wide Dependabot configuration to all repositories in their organization

2. Configure Dependabot runner access

  • Org Settings → Actions → Runner groups

  • Select Dependabot runner group

  • Set repository access = All repos (recommended)

  • If you have “public” repos (GHES = UCSF-wide, still firewall-protected), check Allow public repositories
     

    screenshot: user is selecting the Enterprise Dependabot Runner Group
Screenshot: user is applying access to Enterprise Dependabot Runner Group to all repositories in the organization
Screenshot: user is checking the box to allow public repos access to the Enterprise Dependabot runner group

Repo Admin Tasks (Per Repository)

1. Turn on security features

  • Repo Settings → Advanced Security

  • Enable Dependency graph (probably already enabled for you)

  • Enable Dependabot alerts

  • Enable Dependabot security updates

  • ✅ Done when both toggles show “Disable” in red (yes, it's confusing)

  • Optionally enable Dependabot Version Updates (up to you, but it's a nice service)

  • Optionally enable Grouped Security Updates (if you'd rather just merge a batch of security updates all at once... we have no recommendation here, some people like this feature, some people hate it)
     

Screenshot: user has enabled Dependabot Alerts and Dependabot Security Updates. User has not yet enabled Grouped Security Updates or Dependabot Version Updates.

2. Add configuration file

  • Create .github/dependabot.yml

  • Define package ecosystems, update intervals, reviewers

  • ✅ Done when PRs appear on schedule

Example: .github/dependabot.yml

# Basic example .github/dependabot.yml configuration
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

 

Developers (Day-to-day use)

1. Review Dependabot PRs

  • Treat Dependabot PRs like normal contributor PRs

  • Ha ha, you're so funny. No, seriously, you should be reviewing all PRs you receive in a timely manner

  • Just so you know, if you ignore Dependabot PRs long enough, it will stop sending them to you, until you interact with one of them in some way

  • Merge the PR if tests pass and changes look safe

2. Customize CI/CD for Dependabot PRs

If you'd like to automate how your repository reacts to Dependabot PRs (completely optional, and kind of a flex, honestly), add .github/workflows/dependabot.yml (more details on this below, see Customizing Dependabot PR Workflows):  

name: Dependabot PR Workflow
on: pull_request
jobs:
  dependabot:
    runs-on: devex-arc-runner-set
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Skip intensive tests
        if: contains(github.event.pull_request.title, 'bump')
        run: echo "Skipping intensive tests"
      - name: Auto-label PR
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['dependencies']
            })

What even is Dependabot?

Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:

  • Dependabot Alerts: Notification system for known vulnerabilities
  • Dependabot Security Updates: Automated pull requests to fix vulnerabilities via configuration file
  • Dependabot Version Updates: Scheduled dependency updates via configuration file

ℹ️ Note: The following features are already configured at the enterprise level:

  • Dependency graph enabled
  • Dependabot alerts enabled
  • Required GitHub Actions runner deployed

What about GHEC (GitHub Enterpise Cloud)? Here are some articles on Dependabot for GHEC:

  • https://github.blog/changelog/2024-04-22-dependabot-updates-on-actions-for-github-enterprise-cloud-and-free-pro-and-teams-users/
  • https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide

  Back to Top

The Three Pillars of Dependabot

Think of Dependabot as three parts:

Feature

Purpose

Needs Config File?

Who Sets It Up?

Output

Alerts (⚠️ Warn)

Warn about known vulnerabilities

No

Repo Admin

Security alerts in GitHub

Security Updates (🔒 Fix)

Auto-PRs to patch vulnerabilities

Yes (dependabot.yml)

Repo Admin + Org Admin

PRs with security fixes

Version Updates (♻️ Maintain)

Scheduled dependency bumps

Yes (dependabot.yml)

Repo Admin

PRs with version updates

  Back to Top

Customizing Dependabot PR Workflows 

You can control how your repository responds to Dependabot PRs by creating a custom workflow. This allows you to:

  • Skip certain CI/CD jobs for Dependabot PRs
  • Add specific labels or reviewers automatically
  • Customize PR handling based on dependency type

Create or modify .github/workflows/dependabot.yml:

name: Dependabot PR Workflow
on: pull_request
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      # Example: Skip certain tests for dependency updates
      - name: Skip intensive tests
        if: contains(github.event.pull_request.title, 'bump')
        run: echo "Skipping intensive tests for dependency update"
      
      # Example: Auto-label Dependabot PRs
      - name: Label PR
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['dependencies']
            })

ℹ️ Note: This workflow only triggers on Dependabot PRs thanks to the condition if: ${{ github.actor == 'dependabot[bot]' }}

Tip: check your notification settings

🔔 Note: To get the most out of Dependabot, check your notification settings for security alerts:

  1. Go to your GitHub profile settings
  2. Navigate to "Notifications" → "System"
  3. Choose how you want to receive Dependabot alerts: New vulnerabilities
    • On GitHub
    • Email
    • CLI
  4. Choose how often you want to receive the Email weekly digest
    • Don't send
    • Send weekly
    • Send daily

While you're reviewing your notification settings, you might want to review all of them. If you've found GitHub to be a bit too noisy about changes, you can tweak your settings here.

  Back to Top

References

[1] “About Dependabot Alerts (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[2] “Enabling Dependabot for Private Repositories (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts

[3] “Configuring Security Updates (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

[4] “Version Update Configuration Options (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[5] “GitHub Advisory Database” https://github.com/advisories

[6] "Automating Dependabot with GitHub Actions" https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

[7] "Configuration options for the dependabot.yml file" https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  Back to Top

Related Information

  • GitHub Enterprise Best Practices
Section Menu
GitHub Enterprise Server (On-Premises)
  • Connecting to your Git Repository from the Command line
  • GitHub Enterprise Best Practices
  • Getting Started with Git
  • Managing Passwords in Git
  • GitHub Enterprise Cloud
  • GitHub Backend Administration
  • GitHub Enterprise (on-prem) Usage
Home

Footer Col 1

  • Status
  • Services
  • How To
  • News & Events

Footer Col 2

  • About
  • IT Directory
  • Standards & Guidelines

Footer Col 3

  • Get Help
  • Recognize IT Staff
  • Submit a Support Inquiry

    For emergencies and high priority issues please call the IT Service Desk (415) 514-4100

    • Facebook
    • Twitter
    • YouTube
    • Instagram

    © 2025 The Regents of the University of California