From 11bbe78a75353805a648addb501c1ac3ca5022c7 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 15:50:38 +0300 Subject: [PATCH 1/5] Add known case with monorepos For monorepos, tag separated tags don't work with dependabot. Instead, slash separated tags are needed --- .../supported-ecosystems-and-repositories.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index ce6920d47f02..d6d3d45f5912 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -44,3 +44,24 @@ You can configure updates for repositories that contain a dependency manifest or If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} + +### Known issue: Tag format for GitHub Actions in monorepos + +If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. + +- **Dash (-) separator (e.g. my-action-v0.1.0):** + - Dependabot may incorrectly update multiple actions or fail to detect new versions. +- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** + - Dependabot correctly detects and updates each action independently + + **Example**: +```yaml +# Recommended: namespaced with slash +uses: my-org/my-action-a/v0.1.0 + +# Not recommended: dash +uses: my-org/my-action-a-v0.1.0 +``` + +**Recommendation:** +For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. From 6d7770e8c9d30ec6fc7c20cfabf6dade8c10a811 Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Wed, 14 May 2025 16:06:46 +0300 Subject: [PATCH 2/5] Add git-ref bits --- .../supported-ecosystems-and-repositories.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index d6d3d45f5912..5785be5e05ce 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -50,9 +50,9 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. - **Dash (-) separator (e.g. my-action-v0.1.0):** - - Dependabot may incorrectly update multiple actions or fail to detect new versions. + - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. - **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** - - Dependabot correctly detects and updates each action independently + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. **Example**: ```yaml @@ -64,4 +64,4 @@ uses: my-org/my-action-a-v0.1.0 ``` **Recommendation:** -For monorepos with multiple actions, use the `name/version` (slash) format for action tags to ensure accurate {% data variables.product.prodname_dependabot %} updates. +For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently. From b273d6d5f581541e8cf94850c430471cb8f345ce Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Thu, 24 Jul 2025 16:23:34 -0500 Subject: [PATCH 3/5] Update tag format guidance for GitHub Actions Clarify tag format recommendations for GitHub Actions in monorepos. --- .../supported-ecosystems-and-repositories.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index 5785be5e05ce..e44ab305142c 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -49,18 +49,18 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. -- **Dash (-) separator (e.g. my-action-v0.1.0):** - - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. -- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** - - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. +- **Dash (-) separator (e.g., `@my-action-v0.1.0`):** + - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. +- **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. - **Example**: +**Example**: ```yaml # Recommended: namespaced with slash -uses: my-org/my-action-a/v0.1.0 +uses: my-org/monorepo/my-action@my-action/v0.1.0 # Not recommended: dash -uses: my-org/my-action-a-v0.1.0 +uses: my-org/monorepo@my-action-v0.1.0 ``` **Recommendation:** From 2645da73e83b61d767f8e7f3d8593387883a084a Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 29 Jul 2025 11:59:42 +0300 Subject: [PATCH 4/5] Update content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md Co-authored-by: Sharra-writes --- .../supported-ecosystems-and-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index e44ab305142c..e5f26f9f0b06 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -49,7 +49,7 @@ If your repository already uses an integration for dependency management, you wi If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. -- **Dash (-) separator (e.g., `@my-action-v0.1.0`):** +- **Dash (-) separator (for example, `@my-action-v0.1.0`):** - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. - **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. From 81531d567469ac49d81ef6f4aaa4c1c4a3c6606d Mon Sep 17 00:00:00 2001 From: Dimitris Sotirakis Date: Tue, 29 Jul 2025 11:59:49 +0300 Subject: [PATCH 5/5] Update content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md Co-authored-by: Sharra-writes --- .../supported-ecosystems-and-repositories.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index e5f26f9f0b06..908ac683f3a1 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -51,7 +51,7 @@ If your repository contains multiple GitHub Actions (for example, in a monorepo) - **Dash (-) separator (for example, `@my-action-v0.1.0`):** - {% data variables.product.prodname_dependabot %} may group multiple actions under a single dependency entry or fail to detect new versions correctly. This occurs because {% data variables.product.prodname_dependabot %} relies on slash-based tag parsing to distinguish between actions. -- **Slash (`/`) separator (e.g., `@my-action/v0.1.0`):** +- **Slash (`/`) separator (for example, `@my-action/v0.1.0`):** - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag structure that aligns with {% data variables.product.prodname_dependabot %}'s parsing logic. **Example**: