{"id":35621300,"url":"https://github.com/dupuy/reliabot","last_synced_at":"2026-05-28T01:04:10.997Z","repository":{"id":212378675,"uuid":"731308823","full_name":"dupuy/reliabot","owner":"dupuy","description":"Maintain Dependabot configuration","archived":false,"fork":false,"pushed_at":"2026-05-01T16:11:52.000Z","size":571,"stargazers_count":1,"open_issues_count":12,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-01T17:27:20.115Z","etag":null,"topics":["dependabot","dependency-manager","github","pre-commit-ci","pre-commit-hook","python-script"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dupuy.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-13T19:43:51.000Z","updated_at":"2026-05-01T16:11:55.000Z","dependencies_parsed_at":"2023-12-13T23:42:10.473Z","dependency_job_id":null,"html_url":"https://github.com/dupuy/reliabot","commit_stats":null,"previous_names":["dupuy/reliabot"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/dupuy/reliabot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dupuy%2Freliabot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dupuy%2Freliabot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dupuy%2Freliabot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dupuy%2Freliabot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dupuy","download_url":"https://codeload.github.com/dupuy/reliabot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dupuy%2Freliabot/sbom","scorecard":{"id":499576,"data":{"date":"2025-08-18T23:43:19Z","repo":{"name":"github.com/dupuy/reliabot","commit":"0bbc0e1c514f6ef76583fc75ab6fa986bcadbe5b"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":7.3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/11 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yaml:26","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:27","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/python-app.yaml:394","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/python-app.yaml:445","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/python-app.yaml:482","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/python-app.yaml:306","Info: topLevel 'contents' permission set to 'read': .github/workflows/assign-labels.yaml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yaml:15","Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard.yaml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-app.yaml:97","Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yaml:14"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  18 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:  21 out of  21 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.2.4 not signed: https://api.github.com/repos/dupuy/reliabot/releases/147332265","Warn: release artifact v0.2.2 not signed: https://api.github.com/repos/dupuy/reliabot/releases/146951060","Warn: release artifact v0.2.1 not signed: https://api.github.com/repos/dupuy/reliabot/releases/146949645","Warn: release artifact v0.2.4 does not have provenance: https://api.github.com/repos/dupuy/reliabot/releases/147332265","Warn: release artifact v0.2.2 does not have provenance: https://api.github.com/repos/dupuy/reliabot/releases/146951060","Warn: release artifact v0.2.1 does not have provenance: https://api.github.com/repos/dupuy/reliabot/releases/146949645"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/python-app.yaml:340"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":4,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Info: codeowner review is required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"29 out of 29 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-08-19T21:27:37.421Z","repository_id":212378675,"created_at":"2025-08-19T21:27:37.422Z","updated_at":"2025-08-19T21:27:37.422Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32587823,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T22:12:39.696Z","status":"ssl_error","status_checked_at":"2026-05-03T22:09:10.534Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependabot","dependency-manager","github","pre-commit-ci","pre-commit-hook","python-script"],"created_at":"2026-01-05T06:57:25.324Z","updated_at":"2026-05-28T01:04:10.984Z","avatar_url":"https://github.com/dupuy.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Codacy coverage](https://app.codacy.com/project/badge/Coverage/4668d53bee4f45c394437197d2e20c01)](https://app.codacy.com/gh/dupuy/reliabot/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_coverage)\n[![Codacy grade](https://app.codacy.com/project/badge/Grade/4668d53bee4f45c394437197d2e20c01)](https://app.codacy.com/gh/dupuy/reliabot/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade)\n[![CodeQL status](https://github.com/dupuy/reliabot/workflows/CodeQL/badge.svg)](https://github.com/dupuy/reliabot/security/)\n[![OpenSSF scorecard](https://api.securityscorecards.dev/projects/github.com/dupuy/reliabot/badge)](https://securityscorecards.dev/viewer/?uri=github.com/dupuy/reliabot)\n\\\n[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/dupuy/reliabot/main.svg)](https://results.pre-commit.ci/latest/github/dupuy/reliabot/main)\n[![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/dupuy/reliabot.svg)](http://isitmaintained.com/project/dupuy/reliabot \"Average time to resolve an issue\")\n[![Percentage of issues still open](http://isitmaintained.com/badge/open/dupuy/reliabot.svg)](http://isitmaintained.com/project/dupuy/reliabot \"Percentage of issues still open\")\n\\\n[![Python build workflow status](https://img.shields.io/github/actions/workflow/status/dupuy/reliabot/python-app.yaml)](https://github.com/dupuy/reliabot/actions/workflows/python-app.yaml)\n![PyPI Version](https://img.shields.io/pypi/v/reliabot)\n[![GitHub Release](https://img.shields.io/github/v/release/dupuy/reliabot)](https://github.com/dupuy/reliabot/releases)\n\\\n[![GitHub License](https://img.shields.io/github/license/dupuy/reliabot)](LICENSE)\n![GitHub repository size](https://img.shields.io/github/repo-size/dupuy/reliabot)\n![GitHub repository file+folder count](https://img.shields.io/github/directory-file-count/dupuy/reliabot)\n![GitHub top language](https://img.shields.io/github/languages/top/dupuy/reliabot)\n\n\u003c!-- ![Lines of code](https://img.shields.io/tokei/lines/github/dupuy/reliabot) --\u003e\n\n\u003c!-- ![Lines of code](https://tokei.rs/b1/github/dupuy/reliabot) --\u003e\n\n# Reliabot – Maintain Dependabot configuration\n\nReliabot is a tool that helps maintain Dependabot configurations in your GitHub\nrepository. This is especially helpful for [Terraform][1] “Infrastructure as\nCode” repositories or any sort of \"mono-repo\" with many folders that may\nrequire version updates.\n\n\u003e [_Quis renovatores ipsos renovat?_][2] :octocat::dependabot:🧑🏽‍🔧\n\n\u003c!-- mdformat-toc start --slug=github --no-anchors --maxlevel=3 --minlevel=2 --\u003e\n\n- [Usage](#usage)\n  - [Examples](#examples)\n- [Installation](#installation)\n  - [From PyPI for direct use](#from-pypi-for-direct-use)\n  - [As an executable script](#as-an-executable-script)\n  - [As a `pre-commit` hook](#as-a-pre-commit-hook)\n- [Pre-commit hook](#pre-commit-hook)\n  - [Using with other pre-commit checks](#using-with-other-pre-commit-checks)\n- [Reliabot script](#reliabot-script)\n  - [Options](#options)\n- [FAQ](#faq)\n  - [Does Reliabot work with Renovate?](#does-reliabot-work-with-renovate)\n  - [Can you install Reliabot with Homebrew?](#can-you-install-reliabot-with-homebrew)\n  - [Can Reliabot generate a PR to update Dependabot configuration?](#can-reliabot-generate-a-pr-to-update-dependabot-configuration)\n- [Configuring Reliabot behavior](#configuring-reliabot-behavior)\n  - [Keeping Dependabot configuration](#keeping-dependabot-configuration)\n  - [Ignoring directories for Reliabot](#ignoring-directories-for-reliabot)\n  - [Reliabot directory matching](#reliabot-directory-matching)\n  - [Indentation](#indentation)\n  - [Suppressing YAML start markers](#suppressing-yaml-start-markers)\n  - [YAML version](#yaml-version)\n- [Reliabot configuration summary](#reliabot-configuration-summary)\n\n\u003c!-- mdformat-toc end --\u003e\n\nGitHub's [Dependabot][3] can [automatically update dependency versions][4] in\nyour GitHub repositories. Enabling version updates requires a `dependabot.yml`\nconfiguration file in your repository. While creating this file isn't so hard,\nin a large repository with multiple applications or types of code, it’s easy to\nforget to keep the `dependabot.yml` configuration file up to date with newly\nadded or removed code.\n\nThe `reliabot` Python script and its pre‑commit hook can automatically maintain\nDependabot configurations, adding and removing entries in `dependabot.yml` as\nyou add or remove code in your repository.\n\nYou can run Reliabot directly to create a `dependabot.yml` configuration file\nfor your GitHub repository, but it's most convenient to run the reliabot hook\nfrom the [pre‑commit][5] framework, or optionally, with the [pre-commit.ci][6]\ncontinuous integration service.\n\n## Usage\n\nThe `reliabot` script takes one argument: a Git repository path, and creates or\nupdates the `dependabot.yml` configuration file for the repository based on the\nfiles tracked in Git, including both committed and staged files.\n\n```console\nreliabot$ ./reliabot/reliabot.py\nUsage: reliabot.py [--re] --update | [--] GIT_REPO\n(use '--' if GIT_REPO starts with '-', or see script source)\n```\n\n\u003c!-- $?=2 --\u003e\n\n### Examples\n\nHere is the console output from running Reliabot on its own source sub-folder\nto create a new configuration:\n\n```console\nreliabot$ rm -fr reliabot/.github \u0026\u0026 mkdir -p reliabot/.github reliabot/.git\n\nreliabot$ ./reliabot/reliabot.py reliabot\nCreating 'reliabot/.github/dependabot.yml'...\nreliabot$ cat reliabot/.github/dependabot.yml\n---\nversion: 2\nupdates:\n  - directory: /\n    package-ecosystem: pip\n    schedule:\n        interval: monthly\n```\n\nHere is the console output from running Reliabot to update an existing\nconfiguration in a sub-folder of its own source (copied from the root folder).\nReliabot removes the `github-actions`, `docker`, and one `pip` entry because\nthe `/.github` and `/fuzz` directories are missing from the copy.\n\n```console\nreliabot$ rm -fr reliabot/.github \u0026\u0026 mkdir -p reliabot/.github reliabot/.git\n\nreliabot$ grep -v keep= .github/dependabot.yml \u003ereliabot/.github/dependabot.yml\n\nreliabot$ ./reliabot/reliabot.py reliabot\nRemoved obsolete 'github-actions' entry in '/'\nRemoved obsolete 'docker' entry in '/fuzz'\nRemoved obsolete 'pip' entry in '/fuzz'\nUpdating 'reliabot/.github/dependabot.yml'...\nreliabot$ cat -n reliabot/.github/dependabot.yml\n 1\t---\n 2\t# reliabot: mapping=2 offset=2 sequence=4\n 3\t# reliabot: ignore=./reliabot # already tracked in repository root\n 4\t# reliabot: ignore=testdir/\n 5\tversion: 2\n 6\tupdates:\n 7\t  - directory: /\n 8\t    package-ecosystem: pip\n 9\t    schedule:\n 10\t      interval: monthly\n 11\t    groups:\n 12\t      python-tools:\n 13\t        - ruff\n 14\t        - tox\n```\n\n## Installation\n\n### From PyPI for direct use\n\nUse `pip3` to install the `reliabot` Python script on your system or\nvirtualenv. (Omit `-q` to see progress and warnings.)\n\n```console\nreliabot$ pip3 install -q reliabot\n```\n\n#### Installing with RE2\n\nYou can improve the reliability and performance of Reliabot, and prevent\nwarning messages, by installing a Python RE2 regular expression package. These\nrequire installation of the C++ RE2 library (run `brew install re2`, or use\nLinux/BSD tools to install the `re2` package).\n\n```console\nreliabot$ pip3 install -q 'reliabot[re2]'\n```\n\n\u003e ⚠️The `re2` extra (which depends on [pyre2-updated][7]) only works for Python\n\u003e 3.10 to 3.13. If you have to use another Python version, use the\n\u003e [`--re` option][8] to turn off warnings about failure to load `re2`.\n\n\u003e Note: this extra was previously known as `re2-wheels` and that name is also\n\u003e maintained for compatibility, but the shorter name is now preferred.\n\nOnce installed, you can add the Python binary directory to your `PATH`.\n\n### As an executable script\n\nAlthough it's not ideal, you can also put the `reliabot.py` script into any\ndirectory in your PATH (with or without the `.py` extension), mark it as\nexecutable, and run it directly. This _requires_ `ruamel.yaml` to be installed\nin the (default) Python environment, but can be convenient for _ad hoc_ use.\nThe `pyre2-updated` package and RE2 C library are **not** required, but you'll\nhave to use `--re` to suppress warnings about failure to load RE2 if missing.\n\n### As a `pre-commit` hook\n\n\u003e Note: installation from PyPI is _not_ required for use as a `pre‑commit`\n\u003e hook. The `pre‑commit` command takes care of installing Reliabot in a Python\n\u003e virtual environment for executions from Git hooks or the `pre‑commit`\n\u003e command.\n\nThe [pre‑commit documentation][9] has detailed instructions for installing and\nconfiguring `pre‑commit`. After you:\n\n1. install `pre‑commit`,\n\n2. add a `.pre‑commit-config.yaml` configuration, for example by running:\n\n   ```shell\n   pre-commit sample-config \u003e .pre-commit-config.yaml\n   ```\n\n   and\n\n3. install the Git hooks for your repository,\n\nadd the following to the `repos` entry in `.pre‑commit‑config.yaml`\n([Installing with RE2][10] explains the motivation for the\n`additional_dependencies` line, which also requires the C++ RE2 library):\n\n```yaml\n  - repo: https://github.com/dupuy/reliabot\n    rev: v0.5.2 # Specify any revision you want\n    hooks:\n      - id: reliabot\n        additional_dependencies: [pyre2-updated] # or just `pyre2` or omit this\n```\n\nAfter that, Reliabot runs automatically on any Git commit that involves\n`dependabot.yml` or files where Dependabot could update their dependencies.\n\n## Pre-commit hook\n\nAfter installing and configuring pre‑commit with a Reliabot entry, you can run\nReliabot with `pre-commit run --all reliabot`. You'll rarely need to do so,\nsince any Git commit that could require an update to the Dependabot\nconfiguration should invoke Reliabot automatically.\n\n### Using with other pre-commit checks\n\nIf you also configure a YAML checker in `.pre-commit-config.yaml`, it should\ncome before Reliabot. And if you configure a YAML formatter, it should come\nafter Reliabot. Pre-commit processes all hooks in the order they appear in the\nconfiguration, and this order provides the best results:\n\n1. YAML checker\n2. Reliabot\n3. YAML formatter\n\n## Reliabot script\n\n### Options\n\n- `--re` – As the first argument, this option disables any attempt to use RE2,\n  along with error or warning messages when those attempts fail.\n\n- `--self-test`– As the only argument this runs the `doctest` unit tests.\n\n- `--update` – As the only argument, this runs `reliabot` on the current\n  directory, returning exit code 4 if it made any changes to the file.\n\n## FAQ\n\n### Does Reliabot work with Renovate?\n\nNo. [Renovate][11] detects all supported dependency information in repositories\nand manages them unless `packageRules` configure it to ignore them, so Reliabot\nisn't needed. As [Renovate configuration][12] is quite complex, creating a tool\nto manage that would be challenging.\n\n### Can you install Reliabot with Homebrew?\n\nThere is no [Homebrew][13] formula for Reliabot yet, but any contributions for\none are welcome. To install it for the command line, use `pip`, `poetry` or any\nother Python package manager. If you only use it for `pre-commit` checks, you\ndon't need to install anything, just add it to `.pre-commit-config.yaml`.\n\n### Can Reliabot generate a PR to update Dependabot configuration?\n\nGenerally, it's better to update the Dependabot configuration in the same PR\nthat makes dependency management changes, so Reliabot just makes changes that\nyou can add to the current PR. The pre-commit.ci continuous integration service\ndoes that if you configure Reliabot in `.pre-commit-config.yaml`. A GitHub\nAction could create a separate PR, and any contributions for such an action are\nalso welcome.\n\n## Configuring Reliabot behavior\n\nReliabot uses the `ruamel.yaml` parser to read and write `dependabot.yml`,\npreserving comments when updating it. You can add YAML comments starting with\n`# reliabot:` to configure Reliabot and `ruamel.yaml` settings when updating\nDependabot configuration.\n\n\u003e ⚠️**Important**: Reliabot only checks comments _after_ any explicit “document\n\u003e start” line (`‑‑‑`) and _before_ the first line with YAML data, such as\n\u003e `version: 2`.\n\n### Keeping Dependabot configuration\n\nIf Reliabot removes your Dependabot configuration for a directory for any\nreason, such as a new package ecosystem it doesn't yet support, you can prevent\nthat by adding a Reliabot comment with `keep=`_directory_ to `dependabot.yml`,\nas in this example:\n\n```\n---\n# reliabot: keep=example_dir\nversion: 2\n```\n\nThis keeps Reliabot from removing any Dependabot configuration for\n`example_dir`. To also keep Reliabot from removing configuration in\nsubdirectories of `example_dir`, use `keep=example_dir/`. To keep Reliabot from\nremoving _any_ Dependabot configuration in your repository, use `keep=/`.\n\n\u003e ⭐️**Note**: A \"keep\" comment doesn't prevent Reliabot from _adding_\n\u003e Dependabot configuration for the directory.\n\n### Ignoring directories for Reliabot\n\nIf Reliabot generates Dependabot configuration entries for directories that you\ndon't want Dependabot to update, you can prevent this by adding a Reliabot\ncomment with `ignore=`_directory_ to `dependabot.yml`:\n\n```\n# reliabot: ignore=testdir/example\n```\n\n\u003e ⚠️**Important**: Reliabot **removes** any existing Dependabot configuration\n\u003e for ignored directories unless you turn that off with a matching \"keep\"\n\u003e comment, like the following:\n\n```\n# reliabot: ignore=archive/ keep=archive/\n```\n\nThis prevents Reliabot from modifying any Dependabot configuration for\ndirectories in or under the `archive` directory.\n\n\u003e ⭐️**Note**: You can put Reliabot settings on separate lines or together.\n\u003e Reliabot combines multiple `ignore` and `keep` settings, ignoring or keeping\n\u003e all matched directories.\n\n### Reliabot directory matching\n\nIn addition to the special meaning of trailing `/`, Reliabot directory matching\nsupports some other special cases:\n\n- The path `*` matches all subdirectories but not the root.\n- The path `.` matches the root directory only.\n- The path `/` matches all directories.\n- Paths ending in `*` match as a prefix, but not exactly.\n- Paths ending in `/*` match subdirectories only.\n- Paths ending in `/` match the directory and all subdirectories.\n\nFull details are in [the implementation][14].\n\n### Indentation\n\nReliabot modifies the `ruamel.yaml` indentation settings to generate Dependabot\nconfiguration that's mostly compatible with the `prettier` formatter. If you\nprefer a different style, you can change the indentation with Reliabot comments\nmodifying `ruamel.yaml`’s `mapping`, `offset`, and `sequence` settings:\n\n```\n---\n# reliabot: mapping=2\n# reliabot: offset=2 sequence=4\n```\n\n\u003e ⭐️**Note**: When configuring indentation settings, choose values so that\n\u003e `sequence` \u003e `offset` or Reliabot may fail.\n\nThe `ruamel.yaml` indentation settings are hard to explain or understand, but\nthis reformatted copy of an example from GitHub Docs may help:\n\n```\n# reliabot: mapping=9 offset=4 sequence=7\n# Use `allow` to specify which dependencies to maintain\n\nversion: 2\nupdates:\n    -  package-ecosystem: npm\n       directory: /\n       schedule:\n                interval: weekly\n       allow:\n      # Allow updates for Lodash\n           -  dependency-name: lodash\n      # Allow updates for React and any packages starting \"react\"\n           -  dependency-name: react*\n```\n\n- `offset` sets the indent for the `-` sequence indicator under `updates`:\n\n  ```\n  ⎵⎵⎵⎵-  package-ecosystem: npm\n  ```\n\n- `sequence` sets the indent for the values in the `updates` sequence,\n  including the first item:\n\n  ```\n  ⎵⎵⎵⎵-⎵⎵package-ecosystem: npm\n  ⎵⎵⎵⎵⎵⎵⎵directory: /\n  ```\n\n- `mapping` sets the indent for the values in the `schedule` mapping:\n\n  ```\n         schedule:\n         ⎵⎵⎵⎵⎵⎵⎵⎵⎵interval: weekly\n  ```\n\nIf any indentation setting appears more than once, Reliabot uses the last one.\n\n\u003e ⚠️**Important**: Indentation settings are **ignored** for comment lines,\n\u003e which keep whatever indentation they already had. If you change indentation\n\u003e settings, you may have to correct the indentation of comments, manually or\n\u003e with a YAML formatter. This is one reason YAML formatters in your\n\u003e `.pre-commit-config.yaml` should come _after_ Reliabot.\n\nIf you need more control of the formatting of `.pre‑commit-config.yaml`, it's\nbest to configure pre-commit to use a YAML formatter like one of these:\n\n- [prettier][15] (use mapping=2 offset=2 sequence=4 for compatibility)\n- [Golang `yamlfmt`][16]\n- [Python `yamlfmt`][17] (also uses `ruamel.yaml` and its configuration\n  settings).\n\n\u003e ⛔️**Warning**: Some combinations of indentation values can generate invalid\n\u003e YAML output that `ruamel.yaml` can't parse. Reliabot checks that it can parse\n\u003e the updated `dependabot.yml` contents; if not, it doesn't update the file and\n\u003e instead fails with an exit code of 3, printing an error message like the\n\u003e following:\n\u003e\n\u003e ```\n\u003e YAML (indent?) error: {'mapping': 2, 'offset': 2, 'sequence': 2}:\n\u003e while parsing a block collection ...\n\u003e ```\n\n### Suppressing YAML start markers\n\nYAML files can have a [“document start” line][18] with three hyphens (`---`)\nbefore the YAML content of the file. This marks the start of a YAML document.\nAlthough YAML checkers may complain if it's missing, it isn't required.\nReliabot adds this line to `dependabot.yml` if you leave it out—if that's a\nproblem, you can have Reliabot remove it instead, by adding a Reliabot comment\nlike the following at the start of `dependabot.yml`:\n\n```\n# reliabot: yaml-start=off\n```\n\nIf the YAML start setting appears more than once, Reliabot uses the last one.\n\nReliabot always removes YAML “document end” lines with three dots (`...`) at\nthe end of a `dependabot.yml` file as these files have no reason to use one.\n\n### YAML version\n\nThe `ruamel.yaml` parser [follows the YAML 1.2 specification][19], but if you\nneed to use YAML 1.1 features you can do so by specifying the YAML version\nbefore the document start marker, like this:\n\n```\n%YAML 1.1\n---\n```\n\n## Reliabot configuration summary\n\n| Comment tag        | Affects           | Repeats  | Notes                    |\n| ------------------ | ----------------- | :------: | ------------------------ |\n| `ignore`=_path_    | adding entries    |  Append  | ignores `/` at start/end |\n| `keep`=_path_      | removing entries  |  Append  | ignores `/` at start/end |\n| `mapping`=_int_    | mapping indent    | Override | int\u003e0 (default 4)        |\n| `offset`=_int_     | seq. mark indent  | Override | int≥0 (default 2)        |\n| `sequence`=_int_   | seq. value indent | Override | int\u003e`offset` (default 4) |\n| `width`=_int_      | line width wrap   | Override | + indent? (default 80)   |\n| `yaml-start`=`off` | initial `---`     | Override | or `false`/`true` (`on`) |\n\n[1]: https://www.terraform.io/use-cases/infrastructure-as-code\n[2]: https://translate.google.com/?sl=la\u0026tl=en\u0026text=Quis%20renovatores%20ipsos%20renovat%3F\u0026op=translate\n[3]: https://docs.github.com/en/code-security/dependabot\n[4]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates\n[5]: https://pre-commit.com/\n[6]: https://pre-commit.ci/\n[7]: https://pypi.org/project/pyre2-updated\n[8]: #options\n[9]: https://pre-commit.com/#quick-start\n[10]: #installing-with-re2\n[11]: https://docs.renovatebot.com/\n[12]: https://docs.renovatebot.com/configuration-options\n[13]: https://brew.sh/\n[14]: https://github.com/dupuy/reliabot/blame/1a44935/reliabot/reliabot.py#L460-L470\n[15]: https://prettier.io/docs/en/precommit#option-2-pre-commithttpsgithubcompre-commitpre-commit\n[16]: https://github.com/google/yamlfmt\n[17]: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt\n[18]: https://www.yaml.info/learn/document.html#start\n[19]: https://yaml.dev/doc/ruamel.yaml/pyyaml/#Defaulting_to_YAML_1.2_support\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdupuy%2Freliabot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdupuy%2Freliabot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdupuy%2Freliabot/lists"}