Dependabot Manifest Generation
The gh aw compile --dependabot command scans workflows for runtime tools (npx, pip install, go install), generates dependency manifests (package.json, requirements.txt, go.mod), and configures Dependabot to monitor for updates
Run gh aw compile --dependabot to compile all workflows and generate manifests in .github/workflows/.
Prerequisites: Node.js/npm required for package-lock.json generation. Pip and Go manifests generate without additional tools.
Compiler-managed gh-aw-actions ignore rule
Section titled “Compiler-managed gh-aw-actions ignore rule”gh aw compile always reconciles the compiler-managed ignore rule for github/gh-aw-actions/** when your repository already has a github-actions update block in .github/dependabot.yml (this is not limited to --dependabot runs).
- No-op if
.github/dependabot.ymldoes not exist - No-op if there is no
package-ecosystem: github-actionsupdate block - Preserves user-defined
ignoreentries
updates: - package-ecosystem: github-actions directory: "/.github/workflows" schedule: interval: weekly ignore: - dependency-name: "github/gh-aw-actions/**" # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump. - dependency-name: "actions/checkout" # user-defined, preservedGenerated Files
Section titled “Generated Files”| Ecosystem | Manifest | Lock File |
|---|---|---|
| npm | package.json | package-lock.json (via npm install --package-lock-only) |
| pip | requirements.txt | - |
| Go | go.mod | - |
All ecosystems update .github/dependabot.yml with weekly update schedules. Existing configurations are preserved; only missing ecosystems are added.
Handling Dependabot PRs
Section titled “Handling Dependabot PRs”Correct workflow: Update source .md files, then recompile to regenerate manifests.
# Find affected workflows
# Edit workflow .md files (change version)# npx @playwright/[email protected] → npx @playwright/[email protected]
# Regenerate manifestsgh aw compile --dependabot
# Commit (Dependabot auto-closes its PR)git add .github/workflows/git commit -m "chore: update @playwright/test to 1.42.0"git pushHandling Transitive Dependencies (MCP Servers)
Section titled “Handling Transitive Dependencies (MCP Servers)”When Dependabot flags transitive dependencies (e.g., @modelcontextprotocol/sdk, hono from @sentry/mcp-server), update the shared MCP configuration instead:
# Locate the shared MCP config (e.g., .github/workflows/shared/mcp/sentry.md)# Update the version in the args array:# args: ["@sentry/[email protected]"] → args: ["@sentry/[email protected]"]
# Regenerate manifestsgh aw compile --dependabot
# Regenerate package-lock.json to pick up transitive dependency updatescd .github/workflows && npm install --package-lock-only
# Commit changesgit add .github/workflows/git commit -m "chore: update @sentry/mcp-server to 0.29.0"git pushWhy? The compiler generates package.json from MCP server configurations in workflow files. Directly editing package.json will be overwritten on next compilation.
AI Agent Prompt Template
Section titled “AI Agent Prompt Template”A Dependabot PR updated dependencies in .github/workflows/.
Fix workflow:1. Identify which .md files reference the outdated dependency2. Update versions in workflow files3. Run `gh aw compile --dependabot` to regenerate manifests4. Verify manifests match the Dependabot PR5. Commit and push (Dependabot auto-closes)
Affected PR: [link]Updated dependency: [name@version]Troubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| package-lock.json not created | Install Node.js/npm from nodejs.org |
| Dependency not detected | Avoid shell variables (${TOOL}); use literal package names |
| Dependabot not opening PRs | Verify .github/dependabot.yml is valid YAML and manifest files exist |
Related Documentation
Section titled “Related Documentation”- CLI Commands - Complete compile command reference
- Compilation Process - How compilation works
- GitHub Dependabot Docs - Official Dependabot guide