Is dependabot.yml mandatory for GitHub Dependabot?

Question

Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?

https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

Answer 1

Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.

HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.

It'll also give you more control.

Answer 2

The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:

version: 2
updates:

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      # Check for updates to GitHub Actions every weekday
      interval: "daily"

You can also see the necessary configurations in the table of the GitHub documentation.