Dependabot security updates for multiple branches

[reedloden]

Currently, Dependabot only performs security updates against the default branch. However, a project may have multiple active branches that still need security updates. Need a way to configure Dependabot to also scan certain branches for security updates.

Note that Dependabot version updates supports multiple branches using target-branch in dependabot.yml, but that configuration is not used for security updates.

[edulix]

It took me a lot of time to figure out that target-branch in dependabot.yml does just not apply to dependabot security updates, but it does apply to version updates.

I would suggest that meanwhile this feature is not supported, at least update the documentation of #target-branch to have a warning about this behavior so that it's clear the current limitations.

[daern91]

We also ran into this problem and wasted time debugging it. Would be great if we could get security updates towards target-branch instead of default.

[cesarhernandezgt]

I couldn't find an open issue on https://github.com/dependabot/dependabot-core, do you happen to know where this feature/issue can be tracked ?

[sastorsl]

Building two docker images of the same tool, on two different versions, hits this problem.
The way we tried it we have one main branch with the current version and one branch for the n-1 version, and would like Dependabot to run for both branches.

But this does not work, e.g. nothing happens in the n-1 branch.

[slonka]

It seems like it's working as expected, an example config and the PRs opened against "v0.11" branch (did not check if they are really only security updates but if you change the base to "master" there are more updates - e.g. grpc 1.51.0 to 1.52.0)

[cesarhernandezgt]

Hi @slonka, base on the repository PR's https://github.com/cilium/hubble/pulls?q=is%3Apr+v0.11 , I don't see any security-related PR that dependabot opened for the branch v0.11. And that's precisely the issue described in this conversation.

[slonka]

@cesarhernandezgt - you're right, I was fooled by other PRs with a target branch v0.11 - https://github.com/cilium/hubble/blob/master/.github/dependabot.yml#L56 . Have you had time to open up an issue against dependabot/dependabot-core? If yes then can you link here so I can track it?

[cesarhernandezgt]

@slonka
I found this GitHub issue dependabot/dependabot-core#2767, and based on the conversation and other tickets that have been closed since early 2020... it seems still today there isn't a strong intention to allow security updates to be configurable for branches other than the default branch (main in most cases) :/