Disable dependabot creating PR's

Hi,

With the recent changes around dependabot only have read-only access (and thus not being able to read repository secrets), I want to disable dependabot from creating PR’s (as they will always fail), but still see the alerts. Is this possible? I have tried everything within my action but nothing seems to work.

My dependabot.yml is here:

version: 2
updates:
    # Maintain dependencies for npm
  - package-ecosystem: "npm"
    directory: "/frontend"
    target-branch: "master"
    schedule:
      interval: "monthly"

  - package-ecosystem: "maven"
    directory: "/backend"
    target-branch: "master"
    schedule:
      interval: "monthly"

In my github action I have the following:

on:
  push:
    paths-ignore:
      - 'infrastructure/**'
  pull_request:
    paths-ignore:
      - 'infrastructure/**'
    branches-ignore:
      - 'master'

However, the dependabot PR’s still trigger a build. I’ve also tried the following which doesn’t work:

if: github.actor != 'dependabot-[bot]'

Is there any way to disable this but still see alerts?

Regarding the docs I don’t think it’s currently possible, but you can create a feature request.

The only option you could try is setting “open-pull-requests-limit”: 0