GH-integrated Dependabot uses the wrong branch

[heoelri]

Hi there, we're using the GitHub-integrated dependabot excessively in our GitHub repositories and it works pretty well. We've also created a simple PowerShell script triggered by a GitHub Actions workflow to auto-generate the dependabot.yml (see Automated dependabot configuration in GitHub for more).

What we're observing from time to time is that dependabot is using the wrong target branch. Here for example the most recent one:

Dependabot is creating a PR against main. But the configuration says it should do it against component-updates.

- package-ecosystem: "docker"
  directory: "/src/app/AlwaysOn.UI"
  schedule:
    interval: "monthly" 
  target-branch: "component-updates" 

- package-ecosystem: "npm"
  directory: "/src/app/AlwaysOn.UI"
  schedule:
    interval: "monthly" 
  target-branch: "component-updates" 
  allow:
  - dependency-type: direct
  - dependency-type: production

The log under Insights -> Dependency graph does not give us any indicators what went wrong, and it says it was executed "3 days ago". The PR though was raised 32 minutes ago. Are there any other log files available helping us to understand the behavior of the GitHub-integrated dependabot? Any advice would be appreciated!

CC: @msimecek

[msimecek]

This morning Dependabot again created a PR for the url-parse library and again ignored our target-branch configuration:

There's no mention of this Dependabot run in the logs (last one is reported 5 days ago), so not sure why this keeps happening...

[tjcorr]

From what I'm reading at github/docs#12455:

All the options in the dependabot.yml file control the behavior of Dependabot version update pull requests. In addition, some of the options also change the default behavior of Dependabot security update pull requests (for example, the assignees field).

Dependabot security update pull requests are always opened against the default branch for the repository. Consequently, when you define an alternative target-branch for a package manager in the dependabot.yml file, the configuration for that package manager is no longer used for Dependabot security updates.

Are the PRs you're seeing against main security updates? If so that appears to be the expected behavior.

[heoelri]

Thank you very much @tjcorr for pointing us to the right docs. That indeed explains the behavior we've observed, the regular monthly (that's the interval we've configured) runs of dependabot create PRs against our target-branch, only some out of band updates create PRs against main.

It is good to know that this is the "expected behavior", but it doesn't really make sense to me. Why is the dependabot.yml used for some configurations across version and security updates, like for example the assignees field, but not for all? Why is the target-branch option for example ignored? We're using an intermediate branch to test changes before they're merged into main.