Skip to main content

Dependabot updates for internal dependencies

Do you want to know when someone releases a new version of a package you use? You can set up Dependabot to automatically raise pull requests for outdated dependencies, including internal Gjensidige libraries. This will make is easier to keep up to date with new releases.

Add a Dependabot configuration file, dependabot.yml, in the .github directory of your repository. Get full overview of all configuration options in the GitHub docs: Configuration options for dependency updates.

The following configuration will ensure automatic updates for internal NPM dependencies:

/.github/dependabot.yml
version: 2
registries:
  npm-github: 
    type: "npm-registry"
    url: "https://npm.pkg.github.com"
    token: ${{ secrets.GJENSIDIGE_GITHUB_PACKAGES_TOKEN }} # Globally available
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - "npm-github"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "fix"
      prefix-development: "chore"
      include: "scope"

The following configuration will ensure automatic updates for internal Maven dependencies:

/.github/dependabot.yml
version: 2
registries:
  maven-github:
    type: "maven-repository"
    url: "https://maven.pkg.github.com/gjensidige"
    username: "x-access-token"
    password: ${{ secrets.GJENSIDIGE_GITHUB_PACKAGES_TOKEN }} # Globally available 
updates:
  - package-ecosystem: "maven"
    directory: "/"
    registries:
      - "maven-github"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "fix"
      prefix-development: "chore"
      include: "scope"

By default, Dependabot opens a maximum of 5 PRs for version updates. Once there are 5 open PRs, new requests are blocked until you merge or close some open requests, after which new PRs can be opened on subsequent updates. Use open-pull-requests-limit to change this limit.