Disable scheduled runs, allow manual-only dependabot usage

[fregante]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

I want to use dependabot's updates, but only on request. Can you make schedule.interval optional? It looks like it's required now but I don’t think it needs to be.

The closest feature request to this would be:

• schedule.interval support cron expressions #6339

I'd then set 0 0 30 2 * (February 30th)

[carogalvin]

@fregante thanks for submitting this request! I'm curious as to why you only want manual updates and not scheduled ones?

[fregante]

I find dependabot to be mostly noise, when you have a hundred repo the default behavior will trigger hundreds of PRs weekly. That's untenable.

The choice would either be:

• open PRs every 6/10 months, just to keep the repos alive, or
• open them on demand whenever I return to a repo to work on it again

[carogalvin]

OK, so it sounds like you have a lot of repos that don't have a lot of active development, so you don't want to be spammed by tons of Dependabot PRs across these repos, but you still want the dependencies to be bumped every so often. Does that sound right?

[fregante]

Correct

[juandiana]

Hi @carogalvin, I've got the same feature request but our use case is motivated rather differently than @fregante.

We've got a very active and intense dev team working on a repository where we've recently set up Dependabot and it works nicely with what we need. The only thing that is lucking is its timing.

We have the policy of updating dependencies at the beggining of the development cycle of the next version. Each development cycle is about 2 to 4 weeks. We don't intend to have fixed times for our development cycle, so we'd like to be able to manually trigger the updates job at the beggining of each cycle and let Dependabot do its job, but we don't want to be working for Dependabot or have PRs polluting our inbox in the rest of the development cycle.

I hope that makes our case clear. We're really eager to keep using Dependabot. Let me know if you'd like to hear more.

[carogalvin]

@juandiana thanks for that feedback! If you'd like to chat further and provide other feedback, feel free to set up a time in my calendar that is most convenient for you: https://calendar.app.google/vwDc8NcVjUBC2Cy3A

[sandstrom]

We would also like to disable the scheduled runs of Dependabot.

We like that it can open PRs manually via the 'Security' tab on a repo, to patch an individual CVE. However, we need to configure the labels it's using (the default labels doesn't work with our label structure). When we try to configure the labels using dependabot.yml we are also forced to activate the scheduling of dependabot.

For us, it would be great if we could disable it using one of the following:

1. schedule.interval was optional (and it wouldn't run if it wasn't set) or
2. schedule.interval could take the value never, to have it disabled.

[carogalvin]

@sandstrom a workaround for using dependabot.yml without enabling scheduled runs is to set open-pull-request-limit: 0. Then, Dependabot will still open security updates but not scheduled version bumps to latest.

Not ideal but might help with your use case here?

[sandstrom]

Thanks for helping out!

I know about it (and we use it). But our desire here was to disable that too, and only trigger dependabot manually via the security tab.

[viddo]

I'm curious as to why you only want manual updates and not scheduled ones?

@carogalvin Another use-case/data point: I do want automated updates, but the current possible values are way too limited. I'd like something between monthly~quarterly, but either way, not the first day of the month.

The reason is because it clashes with regular release cycle at my company (that's usually started on the 1st day of the month), it would be preferable to able to delay the automated updates to happen on a different later day, preferable one that I can control/configure. :)

#6339 sounds like a great idea, and I think it would resolve both mine and other problems brought up in this issue?