From b2416c37dea57b4d512243f3d31994d46efeda14 Mon Sep 17 00:00:00 2001 From: Technical Documentation Writer for GitHub Actions Date: Sat, 25 Oct 2025 04:11:56 +0000 Subject: [PATCH] Add documentation for --dependabot flag in CLI reference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds comprehensive documentation for the `gh aw compile --dependabot` flag that was previously undocumented in the user-facing CLI reference. Changes: - Added command examples for --dependabot and --dependabot --force - Documented supported package ecosystems (npm, pip, Go) - Explained manifest file generation for each ecosystem - Documented prerequisites (npm in PATH for npm packages) - Added usage constraints and limitations - Included Starlight note component for important constraints The documentation follows the Diátaxis framework (Reference section), GitHub Docs style guidelines, and maintains consistency with existing CLI documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- docs/src/content/docs/tools/cli.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/src/content/docs/tools/cli.md b/docs/src/content/docs/tools/cli.md index c46722aa417..9e2928acca4 100644 --- a/docs/src/content/docs/tools/cli.md +++ b/docs/src/content/docs/tools/cli.md @@ -134,12 +134,38 @@ gh aw compile --purge # Remove orphaned .lock.yml files # Development features gh aw compile --watch --verbose # Auto-recompile on changes gh aw compile --workflows-dir custom/ # Custom workflows directory + +# Dependency management +gh aw compile --dependabot # Generate dependency manifests +gh aw compile --dependabot --force # Force overwrite existing files ``` **Strict Mode:** Enables enhanced security validation requiring timeouts, explicit network configuration, and blocking write permissions. Use `--strict` flag or `strict: true` in frontmatter. +**Dependency Manifest Generation:** + +The `--dependabot` flag scans workflows for package dependencies and generates manifest files for automated security updates: + +- **npm**: Creates `package.json` and `package-lock.json` for packages used with `npx` (requires npm in PATH) +- **pip**: Creates `requirements.txt` for Python packages +- **Go**: Creates `go.mod` for packages installed via `go install` or `go get` + +The command also creates or updates `.github/dependabot.yml` to enable Dependabot monitoring. Existing manifests are merged intelligently to preserve manual entries. Use `--force` to overwrite the Dependabot configuration file if needed. + +```bash +# Scan workflows and generate manifests for detected dependencies +gh aw compile --dependabot + +# Force overwrite of existing dependabot.yml configuration +gh aw compile --dependabot --force +``` + +:::note +The `--dependabot` flag cannot be used with specific workflow files or custom `--workflows-dir`. It processes all workflows in `.github/workflows/`. +::: + ## ⚙️ Workflow Operations on GitHub Actions These commands control the execution and state of your compiled agentic workflows within GitHub Actions.