Dependabot creates pull requests for private clone of repository despite explicit opt-out

Based on this post on the forums, it seems that as long as I fork a project, it will inherit its Dependabot configuration.

To circumvent that, I’ve tried to clone the project, then change the URL for origin and pushed it to a private repository within an organization.

We have two branches; upstream, which we plan to sync with the source project using GitHub Actions and develop, where we made changes that deviate from the last release.

The upstream project maintainers use Dependabot regularly and merge those pull requests but as develop is expected to be based on a release, we essentially treat it as a snapshot that we build upon and despite following official guides on the subject.

I can modify develop and delete .github/dependabot.yml and get by but I’d rather not modify upstream and do the same (which seems necessary) as it’s supposed to be a 1:1 copy and as Dependabot is an organization, not an individual, I cannot block it from the organization.

Organization-level configuration (we have clicked “Disable all” before creating the repository):

It is getting more than a tad bit frustrating as we want only pull requests and commit from authorized users and we haven’t explicitly granted Dependabot access to our private repository yet we still get inundated with pull requests.

1 Like