This content is viewable by Everyone

Dependabot in UCSF GitHub Enterprise

Save

  • Audience: Affiliate, Communicator, Department Administrator, Faculty, Grant Writer, Institution Administrator, Lab Manager, New Hire, Non-Faculty Academic, Nurse, Physician, Postdoc, Principal Investigator (PI), Research Staff, Researcher, Staff, Student, Technical Partner, Trainee & Learner, Volunteer
  • Service Category: Business Applications
  • Owner Team: Developer Experience Team
  • Service:
    GitHub Enterprise Server (On-Premises)

Quick Setup (Start Here)

Org Admin Tasks (Do Once per Org)

1. Enable enterprise-wide features

  • Go to Org Settings → Advanced Security → Configurations

  • Apply Enterprise-wide Dependabot to all repositories
     

    screenshot: the user is selecting to apply the Enterprise-wide Dependabot configuration to all repositories in their organization

2. Configure Dependabot runner access

  • Org Settings → Actions → Runner groups

  • Select Dependabot runner group

  • Set repository access = All repos (recommended)

  • If you have “public” repos (GHES = UCSF-wide, still firewall-protected), check Allow public repositories
     

    screenshot: user is selecting the Enterprise Dependabot Runner Group
Screenshot: user is applying access to Enterprise Dependabot Runner Group to all repositories in the organization
Screenshot: user is checking the box to allow public repos access to the Enterprise Dependabot runner group

Repo Admin Tasks (Per Repository)

1. Turn on security features

  • Repo Settings → Advanced Security

  • Enable Dependency graph (probably already enabled for you)

  • Enable Dependabot alerts

  • Enable Dependabot security updates

  • ✅ Done when both toggles show “Disable” in red (yes, it's confusing)

  • Optionally enable Dependabot Version Updates (up to you, but it's a nice service)

  • Optionally enable Grouped Security Updates (if you'd rather just merge a batch of security updates all at once... we have no recommendation here, some people like this feature, some people hate it)
     

Screenshot: user has enabled Dependabot Alerts and Dependabot Security Updates. User has not yet enabled Grouped Security Updates or Dependabot Version Updates.

2. Add configuration file

  • Create .github/dependabot.yml

  • Define package ecosystems, update intervals, reviewers

  • ✅ Done when PRs appear on schedule

Example: .github/dependabot.yml

# Basic example .github/dependabot.yml configuration
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

 

Developers (Day-to-day use)

1. Review Dependabot PRs

  • Treat Dependabot PRs like normal contributor PRs

  • Ha ha, you're so funny. No, seriously, you should be reviewing all PRs you receive in a timely manner

  • Just so you know, if you ignore Dependabot PRs long enough, it will stop sending them to you, until you interact with one of them in some way

  • Merge the PR if tests pass and changes look safe

2. Customize CI/CD for Dependabot PRs

If you'd like to automate how your repository reacts to Dependabot PRs (completely optional, and kind of a flex, honestly), add .github/workflows/dependabot.yml (more details on this below, see Customizing Dependabot PR Workflows):  

name: Dependabot PR Workflow
on: pull_request
jobs:
  dependabot:
    runs-on: devex-arc-runner-set
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Skip intensive tests
        if: contains(github.event.pull_request.title, 'bump')
        run: echo "Skipping intensive tests"
      - name: Auto-label PR
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['dependencies']
            })

What even is Dependabot?

Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:

  • Dependabot Alerts: Notification system for known vulnerabilities
  • Dependabot Security Updates: Automated pull requests to fix vulnerabilities via configuration file
  • Dependabot Version Updates: Scheduled dependency updates via configuration file

ℹ️ Note: The following features are already configured at the enterprise level:

  • Dependency graph enabled
  • Dependabot alerts enabled
  • Required GitHub Actions runner deployed

What about GHEC (GitHub Enterpise Cloud)? Here are some articles on Dependabot for GHEC:

  Back to Top

The Three Pillars of Dependabot

Think of Dependabot as three parts:

Feature

Purpose

Needs Config File?

Who Sets It Up?

Output

Alerts (⚠️ Warn)

Warn about known vulnerabilities

No

Repo Admin

Security alerts in GitHub

Security Updates (🔒 Fix)

Auto-PRs to patch vulnerabilities

Yes (dependabot.yml)

Repo Admin + Org Admin

PRs with security fixes

Version Updates (♻️ Maintain)

Scheduled dependency bumps

Yes (dependabot.yml)

Repo Admin

PRs with version updates

  Back to Top

Customizing Dependabot PR Workflows 

You can control how your repository responds to Dependabot PRs by creating a custom workflow. This allows you to:

  • Skip certain CI/CD jobs for Dependabot PRs
  • Add specific labels or reviewers automatically
  • Customize PR handling based on dependency type

Create or modify .github/workflows/dependabot.yml:

name: Dependabot PR Workflow
on: pull_request
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      # Example: Skip certain tests for dependency updates
      - name: Skip intensive tests
        if: contains(github.event.pull_request.title, 'bump')
        run: echo "Skipping intensive tests for dependency update"
      
      # Example: Auto-label Dependabot PRs
      - name: Label PR
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['dependencies']
            })

ℹ️ Note: This workflow only triggers on Dependabot PRs thanks to the condition if: ${{ github.actor == 'dependabot[bot]' }}

Tip: check your notification settings

🔔 Note: To get the most out of Dependabot, check your notification settings for security alerts:

  1. Go to your GitHub profile settings
  2. Navigate to "Notifications" → "System"
  3. Choose how you want to receive Dependabot alerts: New vulnerabilities
    • On GitHub
    • Email
    • CLI
  4. Choose how often you want to receive the Email weekly digest
    • Don't send
    • Send weekly
    • Send daily

While you're reviewing your notification settings, you might want to review all of them. If you've found GitHub to be a bit too noisy about changes, you can tweak your settings here.

  Back to Top

References

[1] “About Dependabot Alerts (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[2] “Enabling Dependabot for Private Repositories (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts

[3] “Configuring Security Updates (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

[4] “Version Update Configuration Options (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[5] “GitHub Advisory Database” https://github.com/advisories

[6] "Automating Dependabot with GitHub Actions" https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

[7] "Configuration options for the dependabot.yml file" https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

  Back to Top

Related Information