Skip to content

case/dependabot-error-alerts

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Dependabot Error Alerts

Tests

A GitHub Action that checks for Dependabot workflow failures, and provides outputs for alerting.

Why?

Dependabot is a fantastic tool, but as of 2025-December, it lacks a critical feature: alerts for failures. It fails silently, which is a problem if you rely on it to keep your dependencies current.

Here's a dependabot-core issue filed in 2021, calling this out and asking for a solution.

Since Dependabot now runs via GitHub Actions, we can query the Actions API for failed runs, and alert accordingly.

Usage

name: Check Dependabot

on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly on Monday at 9am
  workflow_dispatch: # Web trigger

permissions:
  actions: read

jobs:
  check:
    runs-on: ubuntu-slim

    steps:
      - name: Check for Dependabot failures
        id: check
        uses: case/dependabot-error-alerts@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          lookback_days: '7' # Check for Dependabot failures from the past 7 days

      - name: Send notification
        if: steps.check.outputs.has_failures == 'true'
        run: |
          echo "Found ${{ steps.check.outputs.failure_count }} Dependabot failure(s)"
          # Add your notification logic here (Slack, email, etc.)

Inputs

Input Description Required Default
github_token GitHub token for API access Yes ${{ github.token }}
lookback_days Number of days to look back for failures No 7
fail_on_error Fail the action if Dependabot failures are found No false

Outputs

Output Description
failure_count Number of Dependabot workflow failures found
has_failures Whether any failures were found (true/false)
failures_json JSON array of failure details (id, name, html_url, created_at)

FAQ

I have a failed Dependabot job, how do I debug it?

Debugging failed Dependabot jobs is not in scope here - this tool is essentially a very simple failed Dependabot job detector. In my experience, the errors are often transient (e.g. due to network connectivity issues with upstream container image registries, etc.) - but sometimes they are due to typos or syntactic issues in manifest files like package.json and go.mod. Doing a web search for the error message will usually help you find other folks who've encountered the same issue already.

Will this tool duplicate notifications for failed Dependabot jobs?

Yes, this tool is "dumb" in the sense that it's only checking for the presence of any failed Dependabot job during the lookback period. It isn't tracking any detection state or notification history. If that seems like a desirable feature to add, we could probably do it with actions/upload-artifact - e.g. by storing the failed job ID.

Alternatives

You don't actually need a fully fledged third-party Action from the Marketplace to do this - the gh CLI can easily access the same data as this TS code. Here's a prototype that you could save as a composite action, e.g. in your .github/actions/dependabot-error-alerts/action.yaml. It does the exact same things as the TS code, but lacks the tests, etc.

name: 'Dependabot Error Alerts'
description: 'Detect failed Dependabot update jobs and get failure details for alerting'
author: 'github.com/case'

branding:
  icon: 'alert-triangle'
  color: 'orange'

inputs:
  lookback_days:
    description: 'Days to look back for failures (1 = daily, 7 = weekly, 30 = monthly)'
    required: false
    default: '7'
  repo:
    description: 'Repository to check (owner/repo format). Defaults to current repository.'
    required: false
    default: ''

outputs:
  has_failures:
    description: 'Whether any Dependabot failures were found (true/false)'
    value: ${{ steps.check.outputs.has_failures }}
  failure_count:
    description: 'Number of Dependabot failures found'
    value: ${{ steps.check.outputs.failure_count }}

runs:
  using: 'composite'
  steps:
    - name: Check for Dependabot failures
      id: check
      shell: bash
      env:
        INPUT_LOOKBACK_DAYS: ${{ inputs.lookback_days }}
        INPUT_REPO: ${{ inputs.repo }}
        GITHUB_REPOSITORY: ${{ github.repository }}
      run: |
        # Determine which repo to check
        REPO="${INPUT_REPO}"
        if [ -z "$REPO" ]; then
          REPO="${GITHUB_REPOSITORY}"
        fi

        LOOKBACK_DAYS="${INPUT_LOOKBACK_DAYS:-7}"

        echo "Checking repository: $REPO"
        echo "Lookback period: ${LOOKBACK_DAYS} day(s)"

        # Calculate the timestamp for filtering
        SINCE=$(date -u -d "${LOOKBACK_DAYS} days ago" +%Y-%m-%dT%H:%M:%SZ)
        echo "Looking for failures since: $SINCE"

        # Get failed Dependabot runs from the last N days
        FAILURES=$(gh run list \
          --repo "$REPO" \
          --workflow "Dependabot Updates" \
          --json conclusion,createdAt,databaseId,displayTitle \
          --jq "[.[] | select(.conclusion == \"failure\" and .createdAt >= \"${SINCE}\") | {displayTitle, createdAt, runId: .databaseId, url: \"https://github.com/${REPO}/actions/runs/\(.databaseId)\"}]")

        COUNT=$(echo "$FAILURES" | jq 'length')

        echo "Found $COUNT Dependabot failure(s)"

        # Set outputs
        echo "failure_count=${COUNT}" >> $GITHUB_OUTPUT

        if [ "$COUNT" -gt 0 ]; then
          echo "has_failures=true" >> $GITHUB_OUTPUT
          echo ""
          echo "=== Failed Runs ==="
          echo "$FAILURES" | jq -r '.[] | "- \(.displayTitle)\n  Created: \(.createdAt)\n  URL: \(.url)\n"'
        else
          echo "has_failures=false" >> $GITHUB_OUTPUT
          echo "No Dependabot failures in the last ${LOOKBACK_DAYS} day(s)"
        fi

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Initial release Latest
Dec 7, 2025

Packages

No packages published

Languages