Dependabot
Author or fix `.github/dependabot.yml` with correct ecosystem keys, schedules, groups, and private registry blocks.
Overview
dependabot is an agent skill most often used in Ship (also Operate infra, Build backend) that supplies a complete reference for configuring `.github/dependabot.yml` across package ecosystems and schedules.
Install
npx skills add https://github.com/ilteoood/harness --skill dependabotWhat is this skill?
- Complete `.github/dependabot.yml` structure: version 2, registries, multi-ecosystem groups, updates list
- Package-ecosystem table spanning Bun, Cargo, Composer, Docker, dotnet-sdk, and more
- Documents required keys: package-ecosystem, directory or directories, schedule interval
- Optional private registry and cross-ecosystem grouping blocks
- Dependabot config file version is always 2
- Package-ecosystem reference table lists 10+ managers in the ingested excerpt (Bazel through Elm and beyond)
Adoption & trust: 1 installs on skills.sh; 2 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You need Dependabot enabled but keep misconfiguring ecosystem names, directories, or registry blocks in dependabot.yml.
Who is it for?
Solo builders on GitHub who want a single YAML reference while standing up or extending multi-ecosystem dependency automation.
Skip if: Teams on non-GitHub hosts or builders who only need one-line renovate configs without GitHub Dependabot semantics.
When should I use this skill?
Creating or editing `.github/dependabot.yml`, adding ecosystems, schedules, groups, or private registries.
What do I get? / Deliverables
You produce a valid version-2 Dependabot config with correct ecosystems, paths, and schedules so security updates arrive as actionable PRs.
- Valid `.github/dependabot.yml` with updates entries per ecosystem
- Optional registries and multi-ecosystem-groups sections
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/security is the canonical shelf because Dependabot is primarily about automated dependency updates that reduce CVE exposure before and after release. Security subphase reflects supply-chain hygiene; the skill is a configuration reference for GitHub’s update bot.
Where it fits
You add a `/services/api` directory entry when a new Rust microservice gets its own Cargo.lock.
You enable weekly npm and Docker updates before a public launch.
You introduce registries auth for a private Gem server without breaking Dependabot parsing.
How it compares
YAML option encyclopedia for GitHub Dependabot—not a runtime vulnerability scanner skill.
Common Questions / FAQ
Who is dependabot for?
Indie and solo developers shipping on GitHub who configure Dependabot themselves without a platform team.
When should I use dependabot?
During Ship security when hardening supply chain; during Operate infra when adding a new lockfile ecosystem; during Build backend when a new service folder needs its own `updates` entry.
Is dependabot safe to install?
The skill is documentation-only for YAML, but applied configs trigger network PRs from GitHub—review the Security Audits panel and restrict registries credentials via GitHub secrets, not committed tokens.
SKILL.md
READMESKILL.md - Dependabot
# Dependabot YAML Options Reference Complete reference for all configuration options in `.github/dependabot.yml`. ## File Structure ```yaml version: 2 # Required, always 2 registries: # Optional: private registry access REGISTRY_NAME: type: "..." url: "..." multi-ecosystem-groups: # Optional: cross-ecosystem grouping GROUP_NAME: schedule: interval: "..." updates: # Required: list of ecosystem configurations - package-ecosystem: "..." # Required directory: "/" # Required (or directories) schedule: # Required interval: "..." ``` ## Required Keys ### `version` Always `2`. Must be at the top level. ### `package-ecosystem` Defines which package manager to monitor. One entry per ecosystem (can have multiple entries for the same ecosystem with different directories). | Package Manager | YAML Value | Manifest Files | |---|---|---| | Bazel | `bazel` | `MODULE.bazel`, `WORKSPACE` | | Bun | `bun` | `bun.lockb` | | Bundler (Ruby) | `bundler` | `Gemfile`, `Gemfile.lock` | | Cargo (Rust) | `cargo` | `Cargo.toml`, `Cargo.lock` | | Composer (PHP) | `composer` | `composer.json`, `composer.lock` | | Conda | `conda` | `environment.yml` | | Dev Containers | `devcontainers` | `devcontainer.json` | | Docker | `docker` | `Dockerfile` | | Docker Compose | `docker-compose` | `docker-compose.yml` | | .NET SDK | `dotnet-sdk` | `global.json` | | Elm | `elm` | `elm.json` | | Git Submodules | `gitsubmodule` | `.gitmodules` | | GitHub Actions | `github-actions` | `.github/workflows/*.yml` | | Go Modules | `gomod` | `go.mod`, `go.sum` | | Gradle | `gradle` | `build.gradle`, `build.gradle.kts` | | Helm | `helm` | `Chart.yaml` | | Hex (Elixir) | `mix` | `mix.exs`, `mix.lock` | | Julia | `julia` | `Project.toml`, `Manifest.toml` | | Maven | `maven` | `pom.xml` | | npm/pnpm/yarn | `npm` | `package.json`, lockfiles | | NuGet | `nuget` | `*.csproj`, `packages.config` | | OpenTofu | `opentofu` | `*.tf` | | pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml` | | Pre-commit | `pre-commit` | `.pre-commit-config.yaml` | | Pub (Dart/Flutter) | `pub` | `pubspec.yaml` | | Rust Toolchain | `rust-toolchain` | `rust-toolchain.toml` | | Swift | `swift` | `Package.swift` | | Terraform | `terraform` | `*.tf` | | uv | `uv` | `uv.lock`, `pyproject.toml` | | vcpkg | `vcpkg` | `vcpkg.json` | ### `directory` / `directories` Location of package manifests relative to repo root. - `directory` — single path (no glob support) - `directories` — list of paths (supports `*` and `**` globs) ```yaml # Single directory directory: "/" # Multiple directories with globs directories: - "/" - "/apps/*" - "/packages/*" ``` For GitHub Actions, use `/` — Dependabot automatically searches `.github/workflows/`. ### `schedule` How often to check for updates. | Parameter | Values | Notes | |---|---|---| | `interval` | `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron` | Required | | `day` | `monday`–`sunday` | Weekly only | | `time` | `HH:MM` | UTC by default | | `timezone` | IANA timezone string | e.g., `America/New_York` | | `cronjob` | Cron expression | Required when interval is `cron` | ```yaml schedule: interval: "weekly" day: "tuesday" time: "09:00" timezone: "Europe/London" ``` ## Grouping Options ### `groups` Group dependencies into fewer PRs. | Parameter | Purpose | Values | |---|---|---| | `IDENTIFIER` | Group name (used in branch/PR title) | Letters, pipes, underscores, hyphens | | `applies-to` | Update type | `version-updates` (default), `security-updates` | | `dependency-type` | Filter by type | `development`, `production` | | `patterns` | Include matching names | List of strings with `*` wildcard | | `exclude-patterns` | Exclude matching names | List of strings with `*` wildcard | | `update-types` | SemVer filter | `major`, `minor`, `patch` | | `group-by` | Cross-directory