diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md index ce6920d47f02..5785be5e05ce 100644 --- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md +++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories.md @@ -44,3 +44,24 @@ You can configure updates for repositories that contain a dependency manifest or If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see [AUTOTITLE](/get-started/exploring-integrations/about-integrations).{% endif %} {% data reusables.dependabot.supported-package-managers %} + +### Known issue: Tag format for GitHub Actions in monorepos + +If your repository contains multiple GitHub Actions (for example, in a monorepo), the tag format you use affects how {% data variables.product.prodname_dependabot %} detects and updates action versions. + +- **Dash (-) separator (e.g. my-action-v0.1.0):** + - {% data variables.product.prodname_dependabot %} may incorrectly update multiple actions or fail to detect new versions. This occurs because {% data variables.product.prodname_dependabot %} relies on Git’s hierarchical tag structure (using slashes) to distinguish between actions. +- **Slash (`/`) separator (e.g., `my-action/v0.1.0`):** + - {% data variables.product.prodname_dependabot %} correctly detects and updates each action independently, as the slash creates a hierarchical tag that aligns with Git’s ref format rules. + + **Example**: +```yaml +# Recommended: namespaced with slash +uses: my-org/my-action-a/v0.1.0 + +# Not recommended: dash +uses: my-org/my-action-a-v0.1.0 +``` + +**Recommendation:** +For monorepos with multiple actions, use the `name/version` (slash) format for action tags. This ensures {% data variables.product.prodname_dependabot %} can parse the tag hierarchy correctly and update actions independently.