We still do not allow dependabot to write to repos. There is a way to receive the dependabot alerts via email, but no write access to the repo.
> On Aug 30, 2021, at 9:50 AM, Jarek Potiuk <ja...@potiuk.com> wrote: > > I believe that changed when Github bought dependabot and it become > "embedded" in GitHub soon after: https://dependabot.com/blog/hello-github/ > > J. > > > On Mon, Aug 30, 2021 at 3:43 PM Lewis John McGibbney <lewi...@apache.org> > wrote: > >> Thanks Gary and Sebb. >> How do I turn dependabot on? Last time I tried I was informed that due to >> the program requiring write permissions to the repository, it wasn’t >> possible… >> This policy must have changed… >> Thanks for any info. >> lewismc >> >> On 2021/08/29 14:42:00 Gary Gregory wrote: >>> Most of Apache Common's components' are happy users of Dependabot, which >> is >>> used on our GitHub mirrored repositories. >>> >>> Gary >>> >>> >>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org> >> wrote: >>> >>>> Hi builds@, >>>> I was advised to ask my question here instead of general@incubator. >>>> Thanks for any feedback >>>> >>>>> I understand that we cannot use automated tooling, specifically >> Dependbot >>>> ( >>>>> https://dependabot.com/) because it requests write access to the ASF >>>>> project source code. >>>>> I have found this functionality to be really useful and wondered if >> there >>>>> are any suggestions out there for automating the dependency >> management >>>>> workflow? >>>>> Thanks for any feedback. >>>>> lewismc >>>> -- >>>> http://home.apache.org/~lewismc/ >>>> http://people.apache.org/keys/committer/lewismc >>>> >>> >>
