Dependabot grouped security PR not working as configured #129633
Unanswered
kaji-bikash
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Bug
Body
Our use case:
We have mono-repositories with mixed runtimes - mainly go-lang & NPM ecosystem.
We have "dependency graph", "security alerts" & "grouping" all enabled for the repository for dependabot alerts. As dependabot alerts could be noisy, we wanted to further control "how &/or on what" notification should happen. For this, we have got roughly following configuration in the monorepository.
We have
open-pull-requests-limit: 0
because we are only interested in security updates for now. Dependabot is creating grouped PR with label "dependency" for other code available in monorepository(outside directory comp/service/service-name/src/) but not as instructed independabot.yaml
.We have enterprise cloud github version and we are following this blog post - https://github.blog/changelog/2024-03-28-dependabot-grouped-security-updates-generally-available/
When we looked under "security alerts", we see something strange inside some individual alert raised by Dependabot. Picture is worth more here.
Not sure what's going on and what else to give to understand where exactly it is failing or stuck.
Any help is appreciated in solving this!! Major nuisance so far.
Beta Was this translation helpful? Give feedback.
All reactions