Automated updates for CodeQL GitHub Actions dependencies using Dependabot for an entire organization

[john-yacuta-submittable]

Select Topic Area

Question

Body

Scenario: I have several repos in an organization that each contain a .github/workflows/codeql-analysis.yml with outdated codeql-actions workflows including github/codeql-action/init@v2 and github/codeql-action/autobuild@v2. I need to upgrade these dependencies for each file that uses these codeql-actions workflows.

Docs: https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/

Question: I am aware that the deprecation notice supports Dependabot to help with this upgrade from the docs here: https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/ . However, the docs do not cover how to enable a dependabot.yml for an entire organization to automate the process to update only the codeql-actions workflows that I need updated. Does someone know how to get this enabled for an entire organization? I checked the organization settings but do not see an option to do so. See the example dependabot.yml below.

# Set update schedule for GitHub Actions

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every week
      interval: "daily"
    allow:
    # Allow updates for CodeQL Action
    - dependency-name: "github/codeql-action/*"

[jketema]

Enabling or disabling dependabot for all repositories in an organization is explained here: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-organization

[john-yacuta-submittable]

That's what I was afraid of. However, I did find this as a solution and could potentially use it to pull the latest codeql-actions workflows versions in an automated fashion. It appears to be developed/maintained by GitHub staff. https://github.com/NickLiffen/ghas-enablement#running-as-a-scheduled-github-workflow

[jketema]

That might work. Note that although it's developed by a staff member, we in no way can offer support on that.

[john-yacuta-submittable]

Is there an official GitHub solution/supported solution equivalent to the one I posted?

[jketema]

Not that I'm aware of, but my knowledge here is limited.

[john-yacuta-submittable]

Thank you @jketema. Is there someone you know that may have more information on the topic?