Trigger Dependabot when have PR to "develop"

Question

In my project I used Dependabot to scan our packages, I configured dependabot.yml file to scan on a schedule like this:

version: 2
updates:
  # Enable version updates for npm
  - package-ecosystem: "npm"
    # Look for `package.json` and `lock` files in the `root` directory
    directory: "/"
    # Check the npm registry for updates every day (weekdays)
    schedule:
      interval: "daily"
    reviewers:
      - "@XXXXX"
  # Enable version updates for Docker
  - package-ecosystem: "docker"
    # Look for a `Dockerfile` in the `root` directory
    directory: "/"
    # Check for updates once a week
    schedule:
      interval: "weekly"
    reviewers:
      - "@XXXX"

Now I'm trying to find a way to trigger Dependabot to run when a developer opens a pull request from their branch to the "develop" branch. I attempted to create a GitHub Actions workflow that triggers on a pull request event, aiming to start Dependabot to scan the developer's branch before merging it. Unfortunately, I haven't been successful in triggering Dependabot through the GitHub Actions.

I also came across actions/dependency-review-action, but it seems to require a license for use on private repositories. As we are looking for a free solution, does anyone have recommendations or insights on how to achieve Dependabot scans on a developer's branch when they open a pull request to the "develop" branch without incurring additional costs?

Answer 1

Create a new YAML file .github/workflows/your-file-name.yml for GitHub action specification use an alternative of dependabot-preview and this setup file will trigger to run when a developer opens a pull request.

I think this way will work for you

1. Don't use dependabot. Note: Goodbye Dependabot

name: Dependency Scan on Pull Request but don't use dependabot

on:
  pull_request:
    branches: [develop]

jobs:
  dependabot-preview:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: dependabot/dependabot-preview@v4
        with:
          path: .
          token: ${{ secrets.GITHUB_TOKEN }}

2. You can use Snyk or alternative

name: Dependency Scan on Pull Request

on:
  pull_request:
    branches: [develop]

# An example follows of using a Snyk GItHub Action to test a Node.js project
jobs:
  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Example for Snyk setup and for more