Dependabot-core: Default org-wide repo settings

Thanks for the feedback @ocxo. You can change Dependabot to security only for a repo by clicking "advanced options" when adding the repo, or by clicking "only security updates" when editing an update config:

If you're using config files, you can achieve the same by copying the Example: only allow security updates section of the setup instructions.

Apologies for the bad first experience!

@greysteil can that be applied at the org level or is it at the repo level only? I understand the repo level config options but what I'm really looking for is a way to apply this to my GitHub org and all repos within it.

Ah, sorry, I didn't realise that's what you meant.

At the moment we don't have any settings that are configurable at both the account and repo level. I can totally see the use case, but introducing that would also add a little complexity for users, and require a proper UI (if you're using config files I presume this wouldn't really be an issue). Let me have a think. We have some account-level settings that we might move down to the repos anyway, so when we do it would make sense to make defaults configurable at the account level.

(I can also see how this will be lots of work. What happens when you change defaults, for example? Dependabot would need a way of tracking which repos have been separately configured somehow and which haven't. Could be confusing...)

I could see the sync issue being complex but in my mind a setting that enforces X default configuration for all newly added repos would be a really helpful middle ground.

In the meantime can this issue please be re-opened as it's currently not solved for?

Sure thing!

Feedback from https://github.com/dependabot/feedback/issues/383

Actually default_reviewers and default_labels stay on each package levels, I mean not globally (but for each dependency).

I think this could be a great addition to have the same features, but in a global scope, I mean having

version: 1
default_reviewers:
  - reviewer1
  - reviewer2
default_labels:
  - label1
  - label2
update_configs:
  - package_manager: "ruby:bundler"
    directory: "/"
    update_schedule: "live"

so as the PR create by @dependabot-bot is labeled and reviewer is picked by default (if no one is specified at dependency level).

I've also been looking into this. We have over 300 repositories and want to apply some rules to auto-merge some of our most common non-production dependencies as long as the CI reports green.

We can do this by going through each repository by hand, but that's cumbersome, and requires us to do it again for any future changes we want to make, and any new repositories we add.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

i'm still really hoping for a feature along these lines. ideally, i'd love to see this implemented as a config file that can be placed in the .github repo. i'd be happy to provide more thoughts if there is interest in moving this forward.