Based on this post on the forums, it seems that as long as I fork a project, it will inherit its Dependabot configuration.
To circumvent that, I’ve tried to clone the project, then change the URL for
origin and pushed it to a private repository within an organization.
We have two branches;
upstream, which we plan to sync with the source project using GitHub Actions and
develop, where we made changes that deviate from the last release.
The upstream project maintainers use Dependabot regularly and merge those pull requests but as
develop is expected to be based on a release, we essentially treat it as a snapshot that we build upon and despite following official guides on the subject.
I can modify
develop and delete
.github/dependabot.yml and get by but I’d rather not modify
upstream and do the same (which seems necessary) as it’s supposed to be a 1:1 copy and as Dependabot is an organization, not an individual, I cannot block it from the organization.
Organization-level configuration (we have clicked “Disable all” before creating the repository):
It is getting more than a tad bit frustrating as we want only pull requests and commit from authorized users and we haven’t explicitly granted Dependabot access to our private repository yet we still get inundated with pull requests.