[EDI] Dependabot options reference (#59259)

Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com>

Author: 4 people

content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md

@@ -29,11 +29,15 @@ contentType: concepts
 
 ## About {% data variables.product.prodname_dependabot_security_updates %}
 
-{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. You typically add a `dependabot.yml` file to your repository to enable {% data variables.product.prodname_dependabot_security_updates %}. You then configure options in this file to tell {% data variables.product.prodname_dependabot %} how to maintain your repository.
+{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository.
+
+If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates).
+
+You can add a `dependabot.yml` configuration file to your repository to customize {% data variables.product.prodname_dependabot %} behavior, including update schedules, pull request settings, and which dependencies to monitor.  For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file). You then configure options in this file to tell {% data variables.product.prodname_dependabot %} how to secure the dependencies your repository relies on.
 
 {% data reusables.dependabot.dependabot-updates-supported-repos-ecosystems %}
 
-If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates).
+
 
 > [!NOTE]
 > There is no interaction between the settings specified in the `dependabot.yml` file and {% data variables.product.prodname_dependabot %} security alerts, other than the fact that alerts will be closed when related pull requests generated by {% data variables.product.prodname_dependabot %} for security updates are merged.

content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md

@@ -44,6 +44,8 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
 
 The `dependabot.yml` configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. {% data reusables.dependabot.dependabot-updates-supported-repos-ecosystems %}
 
+The `dependabot.yml` file can also be configured to tell {% data variables.product.prodname_dependabot %} how to maintain your dependencies. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file).
+
 For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary.
 
 When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates).

content/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file.md

@@ -0,0 +1,78 @@
+---
+title: About the dependabot.yml file
+intro: 'The `dependabot.yml` controls automated dependency updates in your repository.'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Dependabot
+  - Vulnerabilities
+  - Repositories
+  - Dependencies
+shortTitle: dependabot.yml file
+contentType: concepts
+---
+
+The `dependabot.yml` file is an optional configuration file that gives you fine-grained control over how {% data variables.product.prodname_dependabot %} monitors and updates dependencies (mainly _version updates_ but also _security updates_) in your repository.
+
+Without a `dependabot.yml` file, {% data variables.product.prodname_dependabot %} can still create security updates for vulnerable dependencies if you've enabled {% data variables.product.prodname_dependabot_security_updates %} in your repository settings. However, you won't receive automated version updates or have control over update schedules and other configuration options.
+
+The `dependabot.yml` file uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes).
+
+> [!NOTE]
+> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).
+
+## What the `dependabot.yml` file does
+
+The `dependabot.yml` file controls how {% data variables.product.prodname_dependabot %} performs updates on your dependencies. With this file, you can:
+
+### For version updates
+
+* Enable automated version updates
+* Specify which package ecosystems and directories to monitor
+* Set update schedules
+* Customize pull request labels, assignees, reviewers, and commit messages
+* Control which dependencies to update or ignore
+* Configure authentication for private registries
+
+### For security updates
+
+* Customize security update pull requests with labels, assignees, and reviewers
+* Define target branches for security updates
+* Configure private registry authentication
+* Set limits on open pull requests
+
+## Where to store the `dependabot.yml` file
+
+You must store this file in the `.github` directory of your repository in the default branch (typically `main`). The path is:  `.github/dependabot.yml`.
+
+## How the `dependabot.yml` file works
+
+When you add or update the `dependabot.yml` file in your repository, {% data variables.product.prodname_dependabot %} reads the configuration and begins monitoring the specified package ecosystems according to your defined schedules. When {% data variables.product.prodname_dependabot %} finds available updates, it creates pull requests with the dependency changes, following any customization rules you've specified in the configuration.
+
+The configuration file requires the following keys for each package ecosystem to monitor.
+
+- **`version`**: Top-level field that specifies the Dependabot configuration syntax version.
+- **`updates`**: Top-level section where you define each package ecosystem to monitor for updates.
+- **`package-ecosystem`**: Defined under `updates`, specifies which package manager to update (such as npm, pip, or Docker).
+- **`directories` or `directory`**: Defined under each `package-ecosystem` entry, specifies the location of manifest or dependency definition files.
+- **`schedule.interval`**: Defined under each `package-ecosystem` entry, sets how often to check for version updates (`daily`, `weekly`, or `monthly`).
+
+## Basic example
+
+Here's a minimal `dependabot.yml` file that monitors npm dependencies daily:
+
+```yaml copy
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+```
+
+## Next step
+
+* Configure your repository so that Dependabot automatically updates the packages you use, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates)

content/code-security/concepts/supply-chain-security/index.md

@@ -16,6 +16,7 @@ children:
   - about-dependabot-alerts
   - about-dependabot-security-updates
   - about-dependabot-version-updates
+  - about-the-dependabot-yml-file
   - about-dependabot-auto-triage-rules
   - about-dependabot-on-github-actions-runners
   - immutable-releases

content/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates.md

@@ -51,7 +51,7 @@ You enable {% data variables.product.prodname_dependabot_version_updates %} by c
 
 1. Add a `version`. This key is mandatory. The file must start with `version: 2`.
 1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).
-1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [About the dependabot.yml file](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#about-the-dependabotyml-file) in "{% data variables.product.prodname_dependabot %} options reference."
+1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference).
 1. For each package manager, use:
 
     * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-).

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -23,16 +23,9 @@ shortTitle: Dependabot options
 contentType: reference
 ---
 
-## About the `dependabot.yml` file
+This article provides reference information for the configuration options available in the `dependabot.yml` file. Use these options to customize how {% data variables.product.prodname_dependabot %} monitors package ecosystems, schedules updates, and creates pull requests. For an overview of the `dependabot.yml` file and how it works, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file).
 
-The `dependabot.yml` file defines how {% data variables.product.prodname_dependabot %} maintains dependencies using version updates. In addition, all options marked with a {% octicon "shield-check" aria-label="Security updates" height="16" %} icon also change how {% data variables.product.prodname_dependabot %} creates pull requests for security updates, except where `target-branch` is used.
-
-The {% data variables.product.prodname_dependabot %} configuration file, `dependabot.yml`, uses YAML syntax. If you're new to YAML and want to learn more, see [Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes).
-
-You must store this file in the `.github` directory of your repository in the default branch. When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates. For more information and an example, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates).
-
-> [!NOTE]
-> {% data variables.product.prodname_dependabot_alerts %} are configured in the repository or organization "Settings" tab and not in the `dependabot.yml` file, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).
+All options marked with a {% octicon "shield-check" aria-label="Security updates" height="16" %} icon also change how {% data variables.product.prodname_dependabot %} creates pull requests for security updates, except where `target-branch` is used.
 
 ### Required keys