SkillAgentSearch skills...

Evergreen

GitHub Action to enable automated security updates and open a issue/PR in repos in an org that have dependency files but no dependabot.yaml file

GenerateConvertImprove

Install / Use

/learn @github-community-projects/Evergreen
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Evergreen action

[!IMPORTANT] This repository has moved from github/evergreen to github-community-projects/evergreen. Please update your git remote:

git remote set-url origin git@github.com:github-community-projects/evergreen.git

Note: replace origin with the name of your remote if it's different.

CodeQL Lint Code Base Python package OpenSSF Scorecard OpenSSF Best Practices

This is a GitHub Action that given an organization, team, or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be added. It also enables automated security updates for the repository.

This action was developed by the GitHub OSPO for our own use and developed in a way that we could open source it that it might be useful to you as well! If you want to know more about how we use it, reach out in an issue in this repository.

Example use cases

  • As a part of the security team for my company, I want to make sure that all of the repositories in the company organizations are regularly updating their dependencies to ensure they are using the most secure version of the dependency available.
  • As an OSPO or maintainer, I want to automate everything I can to keep maintaining my project(s) easy and efficient.

Support

If you need support using this project or have questions about it, please open up an issue in this repository. Requests made directly to GitHub staff or support team will be redirected here to open an issue. GitHub SLAs and support/services contracts do not apply to this repository.

OSPO GitHub Actions as a Whole

All feedback regarding our GitHub Actions, as a whole, should be communicated through issues on our github-ospo repository.

Use as a GitHub Action

  1. Create a repository to host this GitHub Action or select an existing repository.

  2. Select a best fit workflow file from the examples below.

  3. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: .github/workflows/ directory with the file extension .yml (ie. .github/workflows/evergreen.yml)

  4. Edit the values below from the sample workflow with your information:

    • ORGANIZATION
    • TEAM_NAME
    • REPOSITORY
    • EXEMPT_REPOS
    • TYPE
    • TITLE
    • BODY

    If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. If running the action on a team, then an organization is required and no repository is needed. The type should be either issue or pull representing the action that you want taken after discovering a repository that should enable dependabot.

  5. Optionally, edit the value CREATED_AFTER_DATE if you are setting up this action to run regularly and only want newly created repositories to be considered. Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave it blank.

  6. Optionally edit the value UPDATE_EXISTING (default value false) if you want to update existing dependabot configuration files. If set to true, the action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to false, the action will only create a new dependabot configuration file if there is not an existing one.

  7. Also edit the value for GH_ENTERPRISE_URL if you are using a GitHub Server and not using github.com. For github.com users, leave it empty. If your GitHub Enterprise Cloud instance uses the newer API format (e.g., https://api.mycompany.ghe.com), also set GH_ENTERPRISE_API_URL.

  8. Update the value of GH_TOKEN. Do this by creating a GitHub API token with the following permissions:

    • If using classic tokens:
      • workflow, this will set also all permissions for repo
      • under admin, read:org and write:org
    • If using fine grain tokens:
      • Administration - Read and Write (Needed to activate the automated security updates )
      • Pull Requests - Read and Write (If TYPE input is set to pull)
      • Issues - Read and Write (If TYPE input is set to issue)
      • Workflows - Read and Write (Needed to create the dependabot.yml file)

    Then take the value of the API token you just created, and create a repository secret where the name of the secret is GH_TOKEN and the value of the secret the API token. Then finally update the workflow file to use that repository secret by changing GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} to GH_TOKEN: ${{ secrets.GH_TOKEN }}. The name of the secret can really be anything, it just needs to match between when you create the secret name and when you refer to it in the workflow file.

  9. If you want the resulting issue with the output to appear in a different repository other than the one the workflow file runs in, update the line token: ${{ secrets.GITHUB_TOKEN }} with your own GitHub API token stored as a repository secret. This process is the same as described in the step above. More info on creating secrets can be found in the GitHub documentation on encrypted secrets.

  10. Commit the workflow file to the default branch (often master or main)

  11. Wait for the action to trigger based on the schedule entry or manually trigger the workflow as shown in the documentation.

Configuration

Below are the allowed configuration options:

Authentication

This action can be configured to authenticate with GitHub App Installation or Personal Access Token (PAT). If all configuration options are provided, the GitHub App Installation configuration has precedence. You can choose one of the following methods to authenticate:

GitHub App Installation

| field | required | default | description | | ---------------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | GH_APP_ID | True | "" | GitHub Application ID. See documentation for more details. | | GH_APP_INSTALLATION_ID | True | "" | GitHub Application Installation ID. See documentation for more details. | | GH_APP_PRIVATE_KEY | True | "" | GitHub Application Private Key. See documentation for more details. | | GITHUB_APP_ENTERPRISE_ONLY | False | false | Set this input to true if your app is created in GHE and communicates with GHE. |

The needed GitHub app permissions are the following under Repository permissions:

  • Administration - Read and Write (Needed to activate the automated security updates )
  • Pull Requests - Read and Write (If TYPE input is set to pull)
  • Issues - Read and Write (If TYPE input is set to issue)
  • Workflows - Read and Write (Needed to create the dependabot.yml file)
  • Contents - Read and Write (Needed to create a commit)
Personal Access Token (PAT)

| field | required | default | description

github-community-projects

View profile

View on GitHub
GitHub Stars221
CategoryDevelopment
Updated2d ago
Forks27
github-community-projects/evergreen

Languages

Python

Security Score

100/100

Audited on Apr 2, 2026

No findings