docs: clarify dependency graph/review enabled/default status#44586
Open
hesreallyhim wants to merge 2 commits into
Open
docs: clarify dependency graph/review enabled/default status#44586hesreallyhim wants to merge 2 commits into
hesreallyhim wants to merge 2 commits into
Conversation
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
Bot
added
the
triage
Contributor
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the supply-chain security documentation to reflect feature availability and defaults across repository types, while cleaning up formatting and consolidating repeated content.
Changes:
- Consolidates public/private repository feature availability into a single set of bullets.
- Updates descriptions for dependency graph, dependency review, and Dependabot alerts prerequisites.
- Fixes formatting issues (for example, “Immutable releases” bullet formatting) and relocates “Artifact attestations” into the shared list.
| * **Dependency graph:** Enabled by default and cannot be disabled. | ||
| * **Dependency review:** Enabled by default and cannot be disabled. | ||
| * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. | ||
| * **Dependency graph:** Not enabled by default. Available for public and private repositories, and can be enabled or disabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). |
Contributor
Author
There was a problem hiding this comment.
This change is intentional, and is the primary purpose of the PR - the distinction between public and private repos appears to represent outdated policy.
| * **Dependency review:** Enabled by default and cannot be disabled. | ||
| * **{% data variables.product.prodname_dependabot_alerts %}:** Not enabled by default. {% data variables.product.prodname_dotcom %} detects insecure dependencies and displays information in the dependency graph, but does not generate {% data variables.product.prodname_dependabot_alerts %} by default. Repository owners or people with admin access can enable {% data variables.product.prodname_dependabot_alerts %}. | ||
| * **Dependency graph:** Not enabled by default. Available for public and private repositories, and can be enabled or disabled by repository administrators. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). | ||
| * **Dependency review:** Available when the dependency graph is enabled. For private repositories, the repository must also be owned by an organization that uses {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} and has a license for {% data variables.product.prodname_GHAS_or_code_security %}. For more information, see [AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security) and [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#enabling-and-disabling-the-dependency-graph). |
Contributor
Author
There was a problem hiding this comment.
The links used were preserved from the pre-existing documentation
| * **{% data variables.product.prodname_dependabot_version_updates %}:** Not enabled by default. People with write permissions to a repository can enable {% data variables.product.prodname_dependabot_version_updates %}. For information about enabling version updates, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | ||
| * **Immutable releases*:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/preventing-changes-to-your-releases). | ||
| * **Immutable releases:** Not enabled by default. You can enable release immutability for a repository or organization. See [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/preventing-changes-to-your-releases). | ||
| * **Artifact attestations:** Available in all public repositories, but you must explicitly generate attestations in your build workflows. Only available in private repositories on {% data variables.product.prodname_ghe_cloud %}. See [AUTOTITLE](/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). |
Contributor
Author
There was a problem hiding this comment.
I'm happy to accept this suggestion if sub-bullets are preferred.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of issue: this document/section (https://docs.github.com/en/code-security/concepts/supply-chain-security/about-supply-chain-security#feature-availability) states:
This appears to be stale information, given other references cited in the issue mentioned below, and in particular two GitHub changelog/announcements (https://github.blog/changelog/2025-05-15-users-can-now-disable-dependency-graph-for-public-repositories/) and (https://github.blog/changelog/2025-06-17-dependency-graph-now-defaults-to-off/), the more recent of which states:
Why:
Closes: #44585
What's being changed (if available, include any code snippets, screenshots, or gifs):
I'm submitting a change to a single doc that appears to have missed the changes made after the announcements cited above. Rather than correcting individual lines that are now false, I am proposing that the whole section, which is broken into Public, Private, and Any, be condensed, since the distinction between public and private is now significantly reduced. (More citations can be found in the linked issue.)
There is another document which contains this same error, but it is outside of the
contentdirectory, so I didn't know if I should touch it:data/reusables/gated-features/dependency-graph.md:I also made a change to a formatting error affecting the "Immutable Releases" item, which had an extra
*, creating this visual bug:Check off the following: