Upload folder using huggingface_hub

88df9e4 verified about 1 month ago

19.8 kB

	---
	title: Configuring multi-ecosystem updates for Dependabot
	intro: 'Learn how to configure {% data variables.product.prodname_dependabot %} to group updates across different ecosystems so that you receive a single, consolidated pull request per group instead of one pull request for each ecosystem.'
	permissions: '{% data reusables.permissions.dependabot-yml-configure %}'
	allowTitleToDifferFromFilename: true
	type: how_to
	versions:
	fpt: '*'
	ghec: '*'
	ghes: '>=3.19'
	topics:
	- Dependabot
	- Version updates
	- Repositories
	- Dependencies
	- Pull requests
	shortTitle: Multi-ecosystem updates
	---

	## About multi-ecosystem updates

	Multi-ecosystem updates allow you to create groups that span multiple package ecosystems and get a single {% data variables.product.prodname_dependabot %} pull request with updates across all supported ecosystems. This approach helps reduce the number of {% data variables.product.prodname_dependabot %} pull requests you receive and streamlines your dependency update workflow.

	Multi-ecosystem updates are particularly useful for:

	* Infrastructure projects that use multiple technologies (Docker, Terraform, Python scripts).
	* Full-stack applications with frontend and backend dependencies that should be updated together.
	* Cross-platform libraries that need synchronized protocol versions across languages.

	## Getting Started

	You should follow these instructions to set up your first multi-ecosystem group.

	### 1. Add `multi-ecosystem-groups` to your `.github/dependabot.yml` file

	Start by defining a group with a schedule in the top-level `multi-ecosystem-groups` section:

	```yaml copy
	version: 2

	multi-ecosystem-groups:
	infrastructure:
	schedule:
	interval: "weekly"

	updates:
	# Your existing package ecosystems will go here
	```

	### 2. Assign ecosystems to groups with patterns

	1. Add the `multi-ecosystem-group` key.
	1. Add `patterns` to your package ecosystem configurations.

	```yaml copy
	version: 2

	multi-ecosystem-groups:
	infrastructure:
	schedule:
	interval: "weekly"

	updates:
	- package-ecosystem: "docker"
	directory: "/"
	patterns: ["nginx", "redis", "postgres"]
	multi-ecosystem-group: "infrastructure"

	- package-ecosystem: "terraform"
	directory: "/"
	patterns: ["aws", "terraform-*"]
	multi-ecosystem-group: "infrastructure"
	```

	> [!IMPORTANT]
	> The `patterns` key is required when using `multi-ecosystem-group`. You can specify dependency patterns to include only certain dependencies in the group, or use `["*"]` to include all dependencies.

	### 3. Commit and watch for consolidated pull requests

	Once you commit the changes to your `dependabot.yml` file, {% data variables.product.prodname_dependabot %} will:

	* Check for updates according to the group's schedule
	* Check for updates according to the group's schedule.
	* Create a single pull request containing updates for all the ecosystems specified in the group.
	* Use the group identifier in the branch name and the pull request title.

	### 4. Customize with additional keys (optional)

	Add [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--), [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--), and other settings to your groups:

	```yaml copy
	multi-ecosystem-groups:
	infrastructure:
	schedule:
	interval: "weekly"
	assignees: ["@platform-team"]
	labels: ["infrastructure", "dependencies"]

	updates:
	- package-ecosystem: "docker"
	directory: "/"
	patterns: ["nginx", "redis", "postgres"]
	multi-ecosystem-group: "infrastructure"

	- package-ecosystem: "terraform"
	directory: "/"
	patterns: ["aws", "terraform-*"]
	multi-ecosystem-group: "infrastructure"
	```

	## Multi-ecosystem specific configuration

	Multi-ecosystem updates use a two-level configuration structure to provide flexibility and control over how updates are grouped and managed:

	* Group-level (`multi-ecosystem-groups`): This is where you define the overall group behavior, scheduling, and shared settings that apply to all package ecosystems in the group.
	* Ecosystem-level (`updates`): Configure individual package managers within the group, including which dependencies to include and ecosystem-specific settings.

	This structure allows you to set consistent policies at the group level while maintaining fine-grained control over individual package ecosystems.

	### `multi-ecosystem-groups`

	Define groups that span multiple package ecosystems. Each group requires:

	* Group identifier: Used in branch names and pull request titles.
	* Schedule: How often to check for updates. See [schedule](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule-) for all available options.

	### `multi-ecosystem-group`

	Assign a package ecosystem to a multi-ecosystem group. Requires the `patterns` key to specify which dependencies to include.

	For more information about `patterns`, see [`patterns` and `exclude-patterns`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#patterns-and-exclude-patterns-groups).

	### Additional configuration options

	All standard {% data variables.product.prodname_dependabot %} configuration options can be used with multi-ecosystem groups. See [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-), [`directory`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory--), [`allow`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--), [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--), [`cooldown`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-), and [`registries`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#registries--) in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference).

	## Key configuration

	When using multi-ecosystem groups, keys are configured at two levels. Here's a complete breakdown of which keys can be used where:

	### Group-level (`multi-ecosystem-groups`)

	The following table shows the configuration keys available at the group level, along with their behavior types. For more information, see [Configuration behavior](#configuration-behavior).

	\| Key \| Required \| Behavior \|
	\|---------------------\|:--------:\|:----------------\|
	\| [`schedule`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#schedule-) \|{% octicon "check" aria-label="Required" %}\| Not applicable \|
	\| [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--) \|{% octicon "x" aria-label="Not required" %}\| Additive \|
	\| [`milestone`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#milestone--) \| {% octicon "x" aria-label="Not required" %} \| Group-only \|
	\| [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) \|{% octicon "x" aria-label="Not required" %} \|Additive \|
	\| [`target-branch`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#target-branch-) \|{% octicon "x" aria-label="Not required" %} \|Group-only \|
	\| [`commit-message`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#commit-message--) \|{% octicon "x" aria-label="Not required" %} \|Group-only \|
	\| [`pull-request-branch-name`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#pull-request-branch-nameseparator--) \|{% octicon "x" aria-label="Not required" %} \|Group-only \|

	### Ecosystem-level (`updates`)

	The following table shows the configuration keys available at the ecosystem level, along with their behavior types. For more information, see [Configuration behavior](#configuration-behavior).

	\| Key \| Required \| Behavior \|
	\|---------------------\|:--------:\|:----------------\|
	\| [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-) \|{% octicon "check" aria-label="Required" %}\| Not applicable \|
	\| [`directory` / `directories`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory--) \|{% octicon "check" aria-label="Required" %}\| Not applicable \|
	\| [`patterns`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#patterns-and-exclude-patterns-groups) \|{% octicon "check" aria-label="Required" %}\| Not applicable \|
	\| [`allow`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#allow--) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`ignore`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`registries`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#registries--) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`vendor`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#vendor--) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`versioning-strategy`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy--) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`update-types`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-groups) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`cooldown`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-) \|{% octicon "x" aria-label="Not required" %}\| Not applicable \|
	\| [`labels`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#labels--) \| {% octicon "x" aria-label="Not required" %} \| Additive \|
	\| [`assignees`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#assignees--) \|{% octicon "x" aria-label="Not required" %} \|Additive \|

	### Configuration behavior

	#### Additive keys

	Additive keys merge values from both the group level and individual ecosystem level rather than one overriding the other. This allows you to set consistent team-wide configurations at the group level while adding specific ecosystem expertise at the individual level.

	* `assignees` - All assignees from both group and ecosystem levels are assigned
	* `labels` - All labels from both group and ecosystem levels are applied

	This table shows how {% data variables.product.prodname_dependabot %} combines values from both group and ecosystem levels for Docker pull requests in the example below:

	\| Option \| Group-level value \| Ecosystem-level value \| Result \|
	\|-----------\|------------------------------------- \|-------------------------\|--------------------------------------------------------------\|
	\| `assignees` \| `@platform-team`, `@security-lead` \| `@docker-admin` \| `@platform-team`, `@security-lead`, `@docker-admin` \|
	\| `labels` \| `infrastructure`, `dependencies` \| `docker`, `containers` \| `infrastructure`, `dependencies`, `docker`, `containers` \|

	```yaml copy
	multi-ecosystem-groups:
	infrastructure:
	assignees: ["@platform-team", "@security-lead"]
	labels: ["infrastructure", "dependencies"]

	updates:
	- package-ecosystem: "docker"
	assignees: ["@docker-admin"]
	labels: ["docker", "containers"]
	multi-ecosystem-group: "infrastructure"
	```

	#### Group-only keys

	* `milestone` - Integer milestone number
	* `commit-message` - Commit message templates
	* `target-branch` - Target branch for pull requests
	* `pull-request-branch-name` - Branch naming configuration

	> [!WARNING]
	> If you attempt to set group-only keys at the ecosystem level (in `updates` entries), {% data variables.product.prodname_dependabot %} will throw a configuration error and fail to process your `dependabot.yml` file. These keys must only be specified in the `multi-ecosystem-groups` section.

	Example:

	This table shows how {% data variables.product.prodname_dependabot %} combines values from both group and ecosystem levels for Docker pull requests in the example below:

	\| Option \| Group-level value \| Ecosystem-level value \| Result \|
	\|-----------\|---------------------\|-------------------------\|----------------------------------------\|
	\| `assignees` \| `@platform-team` \| `@docker-admin` \| `@platform-team`, `@docker-admin` \|
	\| `labels` \| `infrastructure` \| `docker`, `containers` \| `infrastructure`, `docker`, `containers`\|

	```yaml copy
	multi-ecosystem-groups:
	infrastructure:
	assignees: ["@platform-team"]
	labels: ["infrastructure"]

	updates:
	- package-ecosystem: "docker"
	assignees: ["@docker-admin"]
	labels: ["docker", "containers"]
	multi-ecosystem-group: "infrastructure"
	```

	## Use cases and examples

	Multi-ecosystem updates are particularly useful for projects that use multiple package managers and want to coordinate updates across them. Here are common scenarios:

	### Infrastructure projects

	Scenario: Your infrastructure code uses multiple technologies - Docker containers, Terraform for cloud resources, and Python scripts for automation. You want all infrastructure-related updates grouped together for easier review and deployment coordination.

	Why group these together: Infrastructure changes often need to be deployed together, and having separate PRs for each technology creates coordination overhead.

	```yaml copy
	multi-ecosystem-groups:
	infrastructure:
	schedule:
	interval: "weekly" # Weekly updates to avoid disruption

	updates:
	- package-ecosystem: "docker"
	directory: "/"
	patterns: ["nginx", "redis", "postgres"]
	multi-ecosystem-group: "infrastructure"
	- package-ecosystem: "terraform"
	directory: "/"
	patterns: ["aws", "terraform-*"]
	multi-ecosystem-group: "infrastructure"
	- package-ecosystem: "pip"
	directory: "/"
	patterns: ["boto3", "requests", "pyyaml"]
	multi-ecosystem-group: "infrastructure"
	```

	Result: One weekly pull request containing updates for Docker images, Terraform providers, and Python dependencies used in infrastructure automation.

	### Full-stack applications

	Scenario: You have a web application with a React frontend and Rails backend. You want frontend and backend dependencies updated together to ensure compatibility and streamline testing.

	Why group these together: Frontend and backend often depend on each other, and updating them together ensures you can test the full application stack in one go.

	```yaml copy
	multi-ecosystem-groups:
	app-dependencies:
	schedule:
	interval: "daily" # More frequent updates for application code

	updates:
	- package-ecosystem: "npm"
	directory: "/frontend"
	patterns: ["react", "lodash", "@types/*"] # Core frontend libraries and TypeScript types
	multi-ecosystem-group: "app-dependencies"
	- package-ecosystem: "bundler"
	directory: "/backend"
	patterns: ["rails", "pg", "sidekiq"] # Core backend framework and database
	multi-ecosystem-group: "app-dependencies"
	```

	Result: Daily PRs containing both frontend JavaScript/TypeScript updates and backend Ruby gem updates, allowing you to test the complete application together.

	### Cross-platform libraries

	Scenario: You're building a library or service that uses the same protocols across different languages (like gRPC and Protocol Buffers). You want to keep the library versions synchronized across all implementations.

	Why group these together: Protocol libraries need to stay compatible across different language implementations, so updating them together prevents version mismatches.

	```yaml copy
	multi-ecosystem-groups:
	grpc-and-protobuf:
	schedule:
	interval: "daily"

	updates:
	- package-ecosystem: "bundler"
	directory: "/grpc-proto-test/"
	patterns: ["grpc", "google-protobuf"]
	multi-ecosystem-group: "grpc-and-protobuf"
	- package-ecosystem: "npm"
	directory: "/grpc-proto-test/"
	patterns: ["@grpc/grpc-js", "google-protobuf"]
	multi-ecosystem-group: "grpc-and-protobuf"
	```

	Result: Daily PRs ensuring that Ruby and Node.js gRPC libraries stay synchronized, preventing protocol compatibility issues.

	## Advanced configuration example

	This comprehensive example shows how a complex project might use multiple groups with different update strategies and key merging:

	```yaml copy
	version: 2

	multi-ecosystem-groups:
	infrastructure:
	schedule:
	interval: "weekly"
	assignees: ["@platform-team"] # assign platform team
	labels: ["infrastructure", "dependencies"]
	milestone: 10 # Track in milestone
	commit-message:
	prefix: "infra"
	include: "scope"

	# Application code updates - daily, with development team
	full-stack:
	schedule:
	interval: "daily"
	assignees: ["@full-stack-team"] # assign to full-stack team
	labels: ["full-stack"]

	updates:
	# Docker images - infrastructure group with additional docker expertise
	- package-ecosystem: "docker"
	directory: "/"
	patterns: ["nginx", "redis", "postgres"]
	assignees: ["@docker-admin"] # adds to @platform-team (additive)
	labels: ["docker"] # adds to infrastructure, dependencies (additive)
	multi-ecosystem-group: "infrastructure"

	# Terraform - infrastructure group with terraform specialists
	- package-ecosystem: "terraform"
	directory: "/"
	patterns: ["aws", "terraform-*"]
	multi-ecosystem-group: "infrastructure"

	# Frontend - full-stack group with frontend focus
	- package-ecosystem: "npm"
	directory: "/frontend"
	patterns: ["react", "lodash", "@types/*"]
	labels: ["frontend"] # adds to full-stack (additive)
	multi-ecosystem-group: "full-stack"

	# Backend - full-stack group with backend specialist
	- package-ecosystem: "bundler"
	directory: "/backend"
	patterns: ["rails", "pg", "sidekiq"]
	assignees: ["@backend-dev"] # adds to @full-stack-team (additive)
	multi-ecosystem-group: "full-stack"
	```

	### How this configuration works

	#### Infrastructure PRs

	* `schedule: weekly`

	\| Option\| Group-level value \| Ecosystem-level value \| Result \|
	\|---------\|------------\|-----------------\|--------\|
	\| `assignees` \| `@platform-team` \| `@docker-admin` (Docker), `@terraform-experts` (Terraform) \| All combined \|
	\| `labels` \| `infrastructure`, `dependencies` \| `docker` (Docker) \| All combined \|
	\| `schedule` \| `weekly` \| None \| Weekly updates \|
	\| `milestone` \| `10` \| None \| Tracked in milestone 10 \|

	#### Full-stack PRs

	* `schedule: daily`

	\| Option \| Group-level value \| Ecosystem-level value \| Result \|
	\|---------\|------------\|-----------------\|--------\|
	\| `assignees` \| `@full-stack-team` \| `@backend-dev` (Backend) \| All combined \|
	\| `labels` \| `full-stack` \| `frontend` (Frontend) \| All combined \|
	\| `schedule` \| `daily` \| None \| More frequent updates \|

	This approach ensures that the right people are involved for each type of update while maintaining consistent policies across related technologies.

	## Best practices

	* Group related dependencies: Only group ecosystems that logically belong together.
	* Use descriptive identifiers: Choose group names that clearly indicate the group's purpose.

	### Further reading

	* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference)