Skip to main content

Dependabot support for kmpkg

Dependabot is GitHub's automated dependency management service that helps keep your project dependencies up-to-date by automatically creating pull requests when new versions are available. Starting in 2025, Dependabot added support for kmpkg.

How Dependabot works with kmpkg

When you enable Dependabot for your kmpkg projects, it monitors your kmpkg.json manifest files and automatically creates pull requests to update the builtin-baseline commit hash. This ensures your C/C++ dependencies stay current with the latest versions available in the kmpkg port repository.

Setting up Dependabot for kmpkg

To enable Dependabot version updates for your kmpkg project:

  1. Create or update your .github/dependabot.yml file in your repository's default branch:
version: 2
updates:
  - package-ecosystem: "kmpkg"
    directory: "/" # Location of your kmpkg.json file
    schedule:
      interval: "weekly"
  1. Customize the configuration based on your project needs:
version: 2
updates:
  - package-ecosystem: "kmpkg"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
      timezone: "America/New_York"
    labels:
      - "dependencies"
      - "kmpkg"
    commit-message:
      prefix: "deps"

Configuration options

Dependabot for kmpkg supports all standard Dependabot configuration options. The key kmpkg-specific requirements are:

  • package-ecosystem must be set to "kmpkg".
  • directory should point to the location of your kmpkg.json file.

For comprehensive configuration options see the Dependabot options reference.

kmpkg-specific considerations

  • Test thoroughly: Baseline updates can introduce breaking changes from dependencies. Always test your build after applying updates.
  • Monitor kmpkg announcements: Watch the kmpkg repository for announcements about breaking changes or important updates.
  • Consider version pinning: If you need some ports to stay on the same version as you move the rest forward with the baseline, consider overriding their versions in your kmpkg.json.

kmpkg-specific issues

Dependabot not creating pull requests:

  • Ensure your repository has a valid kmpkg.json with a builtin-baseline field.
  • Verify the directory path in your configuration points to the correct location.

Build failures after baseline updates:

  • Baseline updates may introduce breaking changes from dependencies.
  • Review the kmpkg port changes included in the baseline update.
  • Consider pinning specific dependency versions in your kmpkg.json if needed.

Learn more