supply-chain

Subscribe to all “supply-chain” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Dependabot now lets you schedule update frequencies with cron expressions

Dependabot users can now schedule custom update frequencies by using cron expressions in schedule.interval in the Dependabot configuration file. This enhances the predefined intervals (daily, weekly, and monthly) and provides a more generic and robust solution. This gives Dependabot users the ability to define custom schedules that meet their specific needs.

For help writing a cron expression, try this tool.

To learn more about using cron expressions to schedule Dependabot updates in the dependabot.yml file, check out GitHub’s Dependabot schedule.interval docs.

To engage with the Dependabot community on the topic of cron-based update scheduling, join the conversation.

See more

Persistent commit signature verification is generally available

We’re excited to announce that persistent commit signature verification is now generally available! This powerful feature ensures that commit signatures are verified once at the time of the push and remain permanently verified within their respective repository’s network.

With persistent commit signature verification, commit signatures retain their verified status even if signing keys are rotated, revoked, or contributors leave the organization. You can view verification timestamps by hovering over the Verified badge on GitHub or by accessing the verified_at field through the REST API.

A badge tooltip displaying the date when the signature was first verified.

This feature brings long-term reliability to your commit history, offering a consistent solution for managing commit signatures over time. New commits have had persistent records since the public preview launch. Existing commits progressively gain persistent records during their next verification, such as when viewing the Verified badge on GitHub or retrieving the commit via the REST API.

Learn more about commit signature verification and join the conversation in the GitHub Community.

See more

Improved error handling for Dependabot updates for NuGet

Dependabot will now fail gracefully with informative error messages when an unsupported NuGet project type is encountered. If you were using an unsupported project type previously, Dependabot might have failed silently without producing updates. Dependabot is able to process updates to NuGet project files in the .csproj, .vbproj, and .fsproj formats.

See more

Gradle starter workflows now automatically submit transitive dependencies

If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.

Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!

Join the discussion within GitHub Community.

See more

Dependency graph has a REST API for submitting dependencies detected at build time

Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.

Releasing alongside the dependency submission API are the:

Learn more about the dependency submission API.

See more