Unable to disable dependabot pull requests on private repository

[MvWouden]

Select Topic Area

Bug

Context

I have a repository where I used to have dependabot set up through .github/dependabot.yml and the "Code security and analysis" settings. This would automatically create weekly dependency bump pull requests.

I have recently disabled all settings in the "Code security and analysis" settings and removed the .github/dependabot.yml to disable dependabot fully.

Problem

I keep getting weekly dependabot pull requests even though I have:

• Removed .github/dependabot.yml
• Disabled "Dependabot alerts" under "Code security and analysis" settings
• Disabled "Dependabot security updates" under "Code security and analysis" settings
• Disabled "Dependabot version updates" under "Code security and analysis" settings
• Disabled "Dependency graph" under "Code security and analysis" settings

Edit for clarification: I have performed these actions around two full months ago and the issue still lingers.

Expected behaviour

I expect dependabot to be disabled after the actions I have taken.

Am I missing something?

[davixmns]

It seems that there might be a delay in the propagation of the changes you've made to disable Dependabot. The process of updating the configuration and removing the scheduled Dependabot tasks can sometimes take a few hours to complete.

To ensure that Dependabot is fully disabled, you can manually trigger a check for updates from the dependency graph. This will force Dependabot to evaluate the current configuration and ensure that it is not scheduled to run any further updates.

Here are the steps on how to manually trigger a check for updates from the dependency graph:

Go to your repository on GitHub.
Navigate to the "Code" tab.
Click on the "Dependency graph" link.
Click on the "Check for updates" button.
This will force Dependabot to evaluate the current configuration and ensure that it is not scheduled to run any further updates. If Dependabot is still creating pull requests after you have performed these steps, then you may need to contact GitHub support for assistance.

[MvWouden]

Thank you for your swift response. Unfortunately, I have taken this action about 2 months ago and the issue has persisted until now. So it's not a matter of hours to accustom to the change.

[davixmns]

okay man :/. Pls, can you mark this discussion as answered by me?

[MvWouden]

okay man :/. Pls, can you mark this discussion as answered by me?

I cannot since your answer was not the solution.

[carogalvin]

Hi @MvWouden, I'm the product manager for Dependabot at GitHub. Can you tell me what repo this is and I can check its status in the backend?

[MvWouden]

Hi @MvWouden, I'm the product manager for Dependabot at GitHub. Can you tell me what repo this is and I can check its status in the backend?

Hi, thanks for your message. The private repo where Dependabot should be disabled is called pyside6-playground. You may notice that I have a lot of closed Dependabot PRs there. An example repo where I have Dependabot activated (as it should) is called modern-python-setup. Both are source repositories on this account.

[carogalvin]

For some reason, Dependabot hadn't picked up on the deletion of your dependabot.yml and thought that it was still active. I have resynced Dependabot on your repo pyside6-playground and it now sees that it was deleted. You should not receive any more PRs from Dependabot. If you do end up seeing more PRs, let me know!

[MvWouden]

For some reason, Dependabot hadn't picked up on the deletion of your dependabot.yml and thought that it was still active. I have resynced Dependabot on your repo pyside6-playground and it now sees that it was deleted. You should not receive any more PRs from Dependabot. If you do end up seeing more PRs, let me know!

Thank you!