76026 Centralized dependabot configuration proposal

[chihaiaalex]

No description provided.

[haphut]

We can probably find a tool to validate the Dependabot yaml content in the CI. What other validation can we do?

[chihaiaalex]

I looked into this. There's no official CLI or API for validating dependabot.yml — there's an open feature request at dependabot/dependabot-core#4605 (open since 2022).

Interestingly, dependabot/dependabot-core#4605 (comment) that GitHub ran a validation check automatically on a PR that modified dependabot.yml, but
dependabot/dependabot-core#4605 (comment) — so it might be a limited rollout or only for certain plans.

What exists today:

• A JSON schema on https://json.schemastore.org/dependabot-2.0.json — IDEs pick this up automatically for dependabot.yml
• Community tools like https://www.npmjs.com/package/@bugron/validate-dependabot-yaml (npm CLI that validates against the schema)
• GitHub Actions like https://github.com/marocchino/validate-dependabot

None of these are fully comprehensive — they validate structure against the schema but can't catch all Dependabot-internal validation rules. For our dry-run, a schema check would catch the most common errors
(typos, invalid keys, wrong types). Beyond that, the best validation is just that Dependabot itself silently ignores invalid configs — it won't break anything, it just won't run.

[haphut]

Agreed, JSON schema validation sounds useful and secure.

[haphut]

Alternative design: Push Dependabot to all non-archived repos owned by our team. If something breaks, create a denylist for those repos.

[chihaiaalex]

I don't personally see an issue with adding a single line to a file, each time we need to setup a new repository.
Is not something that we would do too often.

[haphut]

It's one more extra thing to remember and there is no warning if one forgets it. That it does not happen often makes it easier to forget.

We can have a checklist for creating new repos. It's just nicer to automate.

As a daily cron job checking for new repos and checking for dependabot.yml and denylist changes, then pushing to all of our repos, there is nothing to remember.

Plus, breaking Dependabot configuration in some repo occasionally by accident is okay. We can fix it inside the team without it affecting other teams or customers.

This tool is made by a GitHub employee (so fairly trustworthy) and seems to fit this push-model for both Dependabot configuration and GitHub repo settings. It also allows selecting all repos of the whole team: https://github.com/marketplace/actions/bulk-github-repository-settings-sync#option-2-rules-based-configuration-settings-configyml EDIT: It also allows exceptions per repo.

Would you be onboard using that one with a GitHub app token? Thank you for describing the process of creating an app token.

[chihaiaalex]

Thanks for the suggestion!

I looked into the tool, I think it would work quite nice and would simplify a lot the implementation.

For the per-repo customization (if needed), we'll have to define them into the central repository as well, we can't have repository level local overrides, but I think that's fine, having all configurations in one place.

Do you want me to update the proposal further including usage of this tool?

[haphut]

Yes, please.

[haphut]

Great starting point for discussion! Please answer the comments or modify accordingly.

[chihaiaalex]

@haphut done, replied and/or adjusted for all comments.