require-dependabot-assignees
Rule catalog ID: R077
Targeted pattern scopeโ
Dependabot update entries and multi-ecosystem groups that control pull request ownership.
What this rule reportsโ
This rule reports update entries that do not resolve to a non-empty assignees list, either directly or via multi-ecosystem-groups inheritance.
Why this rule existsโ
Dependabot pull requests are easy to ignore when they are unowned. Requiring assignees makes update responsibility explicit and improves triage speed.
โ Incorrectโ
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
time: "05:30"
timezone: "UTC"
โ Correctโ
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
time: "05:30"
timezone: "UTC"
assignees:
- "octocat"
Additional examplesโ
This rule also accepts assignees inherited from a multi-ecosystem-group, which is often the cleanest way to keep ownership consistent across multiple update entries.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.dependabot];
When not to use itโ
Disable this rule when ownership is handled exclusively through CODEOWNERS, bots, or external automation and explicit assignees would be noisy.