Automated updates for CodeQL GitHub Actions dependencies using Dependabot for an entire organization #129912
Replies: 2 comments 13 replies
-
Enabling or disabling dependabot for all repositories in an organization is explained here: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts#managing-dependabot-alerts-for-your-organization |
Beta Was this translation helpful? Give feedback.
-
Yes, you do would either:
You could perhaps follow something similar to here: https://josh-ops.com/posts/github-script-to-add-dependabot-file/ There are 2 solutions here, but I would recommend the second that uses the You could also use the Hope this helps! |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Scenario: I have several repos in an organization that each contain a .github/workflows/codeql-analysis.yml with outdated codeql-actions workflows including
github/codeql-action/init@v2
andgithub/codeql-action/autobuild@v2
. I need to upgrade these dependencies for each file that uses these codeql-actions workflows.Docs: https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/
Question: I am aware that the deprecation notice supports Dependabot to help with this upgrade from the docs here: https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/ . However, the docs do not cover how to enable a dependabot.yml for an entire organization to automate the process to update only the codeql-actions workflows that I need updated. Does someone know how to get this enabled for an entire organization? I checked the organization settings but do not see an option to do so. See the example dependabot.yml below.
Beta Was this translation helpful? Give feedback.
All reactions