Skip to content

Layer 4 — Keep SHAs Fresh with Dependabot

SHA pinning (Layer 1) is only useful if the SHAs stay current. Dependabot updates them while respecting a cooldown period, which gives the community time to spot compromised releases before you adopt them.

.github/dependabot.yml:

version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
cooldown:
default-days: 7 # wait 7 days after release before opening a PR
semver-major-days: 14
open-pull-requests-limit: 10
groups:
actions-minor-patch:
update-types: ["minor", "patch"]
commit-message:
prefix: "chore(deps)"
include: "scope"

Pick the option that matches how much central control you want:

  • Option A — Template (lightweight). Add dependabot.yml to a template repo and document it in onboarding. No enforcement.
  • Option B — Push ruleset (recommended). Create a push ruleset that rejects pushes deleting .github/dependabot.yml. Bootstrap each repo once (script below), then the ruleset prevents drift.
  • Option C — Centralized auto-PR. Run a scheduled job in your central repo that iterates all repos via the API and opens a PR adding dependabot.yml where missing.

Open PRs adding dependabot.yml to every repo that lacks one:

bootstrap-dependabot.sh
#!/usr/bin/env bash
ORG="your-org"
DEPENDABOT_FILE="$(cat <<'YAML'
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
cooldown:
default-days: 7
YAML
)"
gh repo list "$ORG" --limit 1000 --json name --jq '.[].name' \
| while read -r REPO; do
if ! gh api "/repos/$ORG/$REPO/contents/.github/dependabot.yml" >/dev/null 2>&1; then
echo "Adding dependabot.yml to $ORG/$REPO"
gh api --method PUT \
"/repos/$ORG/$REPO/contents/.github/dependabot.yml" \
-f message="chore: add Dependabot config for GitHub Actions" \
-f content="$(printf '%s' "$DEPENDABOT_FILE" | base64)" \
-f branch="chore/add-dependabot" || true
gh pr create --repo "$ORG/$REPO" \
--title "chore: add Dependabot config" \
--body "Automated rollout of Dependabot for GitHub Actions updates." \
--head "chore/add-dependabot" --base main || true
fi
done

Once Dependabot is rolling, weekly PRs appear in each repo as new SHAs pass their cooldown. Merge them like any other dependency update.