Merge pull request #33697 from github/repo-sync

Repo sync

Author: docs-bot

content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md

@@ -46,10 +46,14 @@ For a real-world example of `dependabot.yml` file, see  [{% data variables.produ
 The top-level `updates` key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. You can use the following options.
 
 {% data reusables.dependabot.configuration-options %}
+{% ifversion dependabot-updates-multidirectory-support %}
 
+{% data reusables.dependabot.directory-directories-required %}
+
+{% endif %}
 These options fit broadly into the following categories.
 
-* Essential set up options that you must include in all configurations: [`package-ecosystem`](#package-ecosystem), [`directory`](#directory),[`schedule.interval`](#scheduleinterval).
+* Essential set up options that you must include in all configurations: [`package-ecosystem`](#package-ecosystem), [`directory`](#directory){% ifversion dependabot-updates-multidirectory-support %} or [`directories`](#directories){% endif %},[`schedule.interval`](#scheduleinterval).
 * Options to customize the update schedule: [`schedule.time`](#scheduletime), [`schedule.timezone`](#scheduletimezone), [`schedule.day`](#scheduleday).
 * Options to control which dependencies are updated: [`allow`](#allow), {% ifversion dependabot-version-updates-groups %}[`groups`](#groups),{% endif %} [`ignore`](#ignore), [`vendor`](#vendor).
 * Options to add metadata to pull requests: [`reviewers`](#reviewers), [`assignees`](#assignees), [`labels`](#labels), [`milestone`](#milestone).
@@ -117,6 +121,14 @@ updates:
 
 **Required**. You must define the location of the package manifests for each package manager (for example, the _package.json_ or _Gemfile_). You define the directory relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}.
 
+{% ifversion dependabot-updates-multidirectory-support %}
+
+{% data reusables.dependabot.directories-option-overview %} For more information, see [`directories`](#directories).
+
+{% data reusables.dependabot.directory-directories-required %}
+
+{% endif %}
+
 For {% data variables.product.prodname_actions %}, you do not need to set the directory to `/.github/workflows`. Configuring the key to `/` automatically instructs {% data variables.product.prodname_dependabot %} to search the `/.github/workflows` directory, as well as the _action.yml_ / _action.yaml_ file from the root directory.
 
 ```yaml
@@ -143,6 +155,92 @@ updates:
       interval: "weekly"
 ```
 
+{% ifversion dependabot-updates-multidirectory-support %}
+
+### `directories`
+
+**Required**. You must define the locations of the package manifests for each package manager. You define directories relative to the root of the repository for all ecosystems except {% data variables.product.prodname_actions %}. The `directories` option contains a list of strings representing directories.
+
+{% data reusables.dependabot.directory-directories-required %}
+
+```yaml
+# Specify locations of manifest files for each package manager using `directories`
+
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directories:
+      - "/frontend"
+      - "/backend"
+      - "/admin"
+    schedule:
+      interval: "weekly"
+```
+
+{% data reusables.dependabot.directories-option-overview %}
+
+{% data reusables.dependabot.directory-vs-directories-guidance %}
+
+```yaml
+# Specify locations of manifest files for each package manager using both `directories` and `directory`
+
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directories:
+      - "/frontend"
+      - "/backend"
+      - "/admin"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "daily"
+```
+
+>[!TIP]
+> The `directories` key supports globbing and the wildcard character `*`. These features are not supported by the `directory` key.
+
+```yaml
+# Specify the root directory and directories that start with "lib-", using globbing, for locations of manifest files
+
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directories:
+      - "/"
+      - "/lib-*"
+    schedule:
+      interval: "weekly"
+```
+
+```yaml
+# Specify the root directory and directories in the root directory as the location of manifest files using the wildcard character
+
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directories:
+      - "*"
+    schedule:
+      interval: "weekly"
+```
+
+```yaml
+# Specify all directories from the current layer and below recursively, using globstar, for locations of manifest files
+
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directories:
+      - "**/*"
+    schedule:
+      interval: "weekly"
+```
+
+{% endif %}
+
 ### `schedule.interval`
 
 **Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone).

content/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates.md

@@ -64,9 +64,12 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
 1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [`registries`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#registries) in "Configuration options for the `dependabot.yml` file."
 1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager.
 1. For each package manager, use:
+
     * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in "Configuration options for the `dependabot.yml` file."
     * `directory` to specify the location of the manifest or other definition files. For more information, see [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory) in "Configuration options for the `dependabot.yml` file."
+    {% ifversion dependabot-updates-multidirectory-support %}- `directories` to specify the location of multiple manifest or other definition files. For more information, see [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories) in "Configuration options for the `dependabot.yml` file."{% endif %}
     * `schedule.interval` to specify how often to check for new versions. For more information, see [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval) in "Configuration options for the `dependabot.yml` file."
+
 {% data reusables.dependabot.check-in-dependabot-yml %}
 
 ### Example `dependabot.yml` file

content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md

@@ -214,7 +214,7 @@ The [`groups`](/code-security/dependabot/dependabot-version-updates/configuratio
 
 For grouped security updates, {% data variables.product.prodname_dependabot %} uses the following guidelines to create grouped pull requests.
 
-* {% data variables.product.prodname_dependabot %} **will** group dependencies from the same package ecosystem that are located in different directories. Grouping across directories only occurs for directories not configured in the `dependabot.yml` file.
+* {% data variables.product.prodname_dependabot %} **will** group dependencies from the same package ecosystem that are located in different directories when grouping rules are specified for configurations that use the `directories` key.
 * {% data variables.product.prodname_dependabot %} **will** apply other relevant customization options from the `dependabot.yml` file to pull requests for grouped security updates. {% data reusables.dependabot.dependabot-grouped-security-updates-yaml-override %}
 * {% data variables.product.prodname_dependabot %} **will not** group dependencies from different package ecosystems together.
 * {% data variables.product.prodname_dependabot %} **will not** group security updates with version updates.

data/features/dependabot-updates-multidirectory-support.yml

@@ -0,0 +1,5 @@
+# Reference: Issue #13733 - Multidirectory Configuration for Dependabot Version Updates - [Public Beta]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.13'

data/reusables/dependabot/configuration-options.md

@@ -1,7 +1,8 @@
 | Option | Required | Security Updates | Version Updates | Description |
 |:---|:---:|:---:|:---:|:---|
 | [`package-ecosystem`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)                     | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Package manager to use                  |
-| [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory)                                     | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests           |
+| [`directory`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory)                                     | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Location of package manifests           |{% ifversion dependabot-updates-multidirectory-support %}
+| [`directories`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories)                                     | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Locations of package manifests (multiple directories)           |{% endif %}
 | [`schedule.interval`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval)                      | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | How often to check for updates                |
 | [`allow`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow)                                             | {% octicon "x" aria-label="Not supported" %}| {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Customize which updates are allowed         |
 | [`assignees`](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#assignees)                                     | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Assignees to set on pull requests           |

data/reusables/dependabot/dependabot-grouped-security-updates-how-enable.md

@@ -1,3 +1,4 @@
 You can enable grouped pull requests for {% data variables.product.prodname_dependabot_security_updates %} in one, or both, of the following ways.
+
 * To group as many available security updates together as possible, across directories and per ecosystem, enable grouping in the "Code security and analysis" settings for your organization or repository.
-* For more granular control of grouping, such as grouping by package name, development/production dependencies, or SemVer level, add configuration options to the `dependabot.yml` configuration file in your repository.
+* For more granular control of grouping, such as grouping by package name, development/production dependencies,{% ifversion dependabot-updates-multidirectory-support %} SemVer level, or across multiple directories per ecosystem{% else %} or SemVer level{% endif %}, add configuration options to the `dependabot.yml` configuration file in your repository.

data/reusables/dependabot/dependabot-version-updates-groups-yaml-example.md

@@ -33,8 +33,12 @@ A `dependabot.yml` file with a customized Bundler configuration, which has been
 version: 2
 updates:
   # Keep bundler dependencies up to date
-  - package-ecosystem: "bundler"
-    directory: "/"
+  - package-ecosystem: "bundler"{% ifversion dependabot-updates-multidirectory-support %}
+    directories:
+      - "/frontend"
+      - "/backend"
+      - "/admin"{% else %}
+    directory: "/"{% endif %}
     schedule:
       interval: "weekly"
     # Create a group of dependencies to be updated together in one pull request

data/reusables/dependabot/directories-option-overview.md

@@ -0,0 +1 @@
+You can use `directories` instead of `directory` to apply the same configuration to a list of multiple directories. The `directory` or `directories` entries must be unique and cannot overlap with the `directory` or `directories` entries in blocks that have the same ecosystem and `target-branch`. You can have one block specifying multiple directories and another block with specifications for one directory only, but both keys can't be present in the same block.

data/reusables/dependabot/directory-directories-required.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** You cannot use both `directory` and `directories` in the same configuration block. Only one option is required, not both.
+
+{% endnote %}

data/reusables/dependabot/directory-vs-directories-guidance.md

@@ -0,0 +1 @@
+Using `directory`, `directories`, or a mixture of both, are all valid approaches. You should tailor your configuration to your requirements. We recommend you use `directories` when you want to apply the exact same configuration to multiple directories or group dependency updates across multiple directories, and `directory` when you want to apply a configuration to only one directory, or if you want each directory to have a different configuration.