github-dependabot
Create or review a repo-specific `.github/dependabot.yml` for GitHub Dependabot.
GitHub Dependabot Setup
Use this skill when you need to create, review, or update .github/dependabot.yml.
This is a review-first skill. Do not copy a generic Dependabot file into a repo without first inspecting what the repo actually uses.
Default posture
- Inspect the target repository before drafting any config.
- Configure only the ecosystems and directories that actually exist in the repo.
- Treat private registries, beta features, and insecure execution settings as opt-in only.
- Keep the generated file minimal and explain any enterprise-specific settings that are included.
Working template and reference repo
The local file below is a working UHG example:
./template/dependabot.yml
Treat it as a reference implementation, not a universal default.
The bundled template intentionally defaults risky options off. Any use of beta ecosystems or insecure external code execution must be an explicit repo-level decision, not something copied in by default.
It is useful because it demonstrates a real enterprise setup with:
- multiple package ecosystems
- private Artifactory-style registries
- GitHub Actions updates
- timezone and scheduling examples
It is not safe to copy wholesale into every repo because it may include:
- ecosystems the target repo does not use
- registry names or secret names that do not exist in the target repo
enable-beta-ecosystemsinsecure-external-code-execution: allow
In the template, these are shown as commented opt-in toggles. Only uncomment them when the target repository has been reviewed and the need is documented.
Use the local template only after checking which parts actually apply.
You can also review this known working example repo for additional context:
Use gh or other available GitHub tooling to inspect the repo if needed.
Review workflow
Step 1: Inspect the target repo
Identify the package ecosystems that are actually present. Check for files such as:
package.jsonpackage-lock.jsonpnpm-lock.yamlyarn.lockrequirements.txtpyproject.tomlGemfilepom.xmlbuild.gradleDockerfile.github/workflows/*.yml*.tf
Also inspect the repo layout to confirm whether updates should be rooted at / or split across subdirectories.
Step 2: Check registry and credential requirements
Before adding a registries: section, confirm:
- the repo actually uses private registries
- the registry URL is correct
- the required Dependabot secret names already exist or are part of the requested change
- the chosen registry type matches the package ecosystem
Do not invent secret names or cargo-cult them from another repo.
Step 3: Start from the minimal valid config
Prefer the smallest valid .github/dependabot.yml that matches the repo.
Good defaults:
version: 2- one
updates:entry per ecosystem and directory actually in use - explicit
schedule - reasonable
open-pull-requests-limit
Only add these when justified:
registriesrebase-strategyversioning-strategygroupsallow/ignoreenable-beta-ecosystemsinsecure-external-code-execution: allow
If you enable either one, call it out explicitly in the output and explain why the safer default was not sufficient for that repository.
Step 4: Adapt the working example carefully
If the target repo resembles the bundled template, copy only the relevant pieces from ./template/dependabot.yml.
Examples:
- keep the
npmblock if the repo has Node manifests - keep the
github-actionsblock if workflows consume external actions - keep a private registry block only if the repo actually resolves dependencies through that registry
- drop
bundler,pip,maven,gradle,docker, orterraformentries when those ecosystems are absent
Step 5: Verify before finalizing
Before presenting or committing the file, verify:
- every configured ecosystem exists in the repo
- every
directorypath exists - every registry name referenced by an update block exists under
registries: - every required secret name is intentional
- any risky option is explicitly justified
Output expectations
When using this skill, produce:
- a short summary of the ecosystems detected in the target repo
- the proposed
.github/dependabot.yml - a short note explaining any non-default settings such as private registries, beta ecosystems, grouping, or insecure execution allowances
If required registry secrets or repo conventions are missing, say so clearly instead of guessing.
Safe defaults
Prefer these update blocks when applicable:
npmgithub-actionsdockerterraformpipmavengradlebundler
But only include an ecosystem when the repo actually uses it.
Default to avoiding insecure-external-code-execution: allow unless the ecosystem genuinely requires it and the user wants that behavior.
Default to avoiding enable-beta-ecosystems unless the repo depends on a beta ecosystem or the example has already been validated for that repo family.
Related Assets
github-agents
Configure GitHub Copilot Coding Agent repositories with the correct UHG runner, Artifactory, and workflow bootstrap patterns.
Owner: pcorazao
github-expert
GitHub platform features, Actions, workflows, CLI, repository management, and security
Owner: platform-devops
security-agent-cca-fix
Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.
Owner: edi-security-agent
Label Taxonomy Audit
Audit GitHub label usage across repositories to identify inconsistencies, redundancies, and missing labels, then recommend a standardized taxonomy.
Owner: community
Epic Progress Dashboard
Generate comprehensive epic progress dashboards showing completion status, velocity trends, blocker analysis, and burn-down forecasts for multi-sprint initiatives and large features.
Owner: thudak_uhg
Backlog Refinement Assistant
Facilitates backlog grooming sessions by analyzing issues for readiness, suggesting improvements to acceptance criteria, estimating complexity, and identifying dependencies before sprint planning.
Owner: thudak_uhg

