This GitHub Actions workflow automatically migrates reviewers from your .github/dependabot.yml file to the CODEOWNERS.
Dependabot is removing the reviewers feature which can be replaced by CODEOWNERS file. This action workflow facilitates easier transition from reviewers to CODEOWNERS based reviewers management.
- One step migration: Migrate reviewers permissions with single action run
- Manual Trigger: Runs on-demand via
workflow_dispatch
version: 2updates: - package-ecosystem: "npm"directory: "/frontend"reviewers: - "alice" - "frontend-team" - package-ecosystem: "docker"directories: - "/" - "/backend"reviewers: - "devops-team" - package-ecosystem: "bundler"directory: "/"reviewers: - "backend-team"# Dependabot reviewers (migrated from .github/dependabot.yml) /*.dockerfile @devops-team /*.gemspec @backend-team /Dockerfile @devops-team /Dockerfile.* @devops-team /Gemfile @backend-team /Gemfile.lock @backend-team /backend/*.dockerfile @devops-team /backend/Dockerfile @devops-team /backend/Dockerfile.* @devops-team /frontend/package.json @frontend-team @alice /frontend/package-lock.json @frontend-team @alice /frontend/npm-shrinkwrap.json @frontend-team @alice Place actions workflow file at .github/workflows/sync-dependabot-reviewers.yml in your repository.
- Go to Actions tab in your GitHub repository
- Select "Migrate Dependabot Reviewers to CODEOWNERS" workflow
- Click "Run workflow"
- The workflow will create a PR if changes are needed
The workflow needs:
contents: write- to update CODEOWNERS filepull-requests: write- to create pull requests
No reviewers found in dependabot.yml Solution: Ensure your dependabot.yml has reviewers sections defined for the package ecosystems you want to sync.
dependabot.yml file not found Solution: Make sure .github/dependabot.yml exists in your repository.
No changes needed - CODEOWNERS is already up to date This is normal: The workflow only creates PRs when there are actual changes to make.
If action migration PR is already open, changes are made to open PR instead of creating new PR
Bash script to migrate Dependabot reviewers from .github/dependabot.yml to CODEOWNERS file. Works with Windows, Linux, Solaris, macOS, BSD etc (requires bash support to work).
- Download and place script
migrate-dependabot-reviewers.shin your repository root folder - Run script:
./migrate-dependabot-reviewers.sh - Script will update existing CODEOWNERS or generate a new file if required
- Review, commit and push CODEOWNERS file
- Navigate to repository root folder in Bash and execute following commands:
curl -O https://raw.githubusercontent.com/dependabot/codeowner-migration-action/main/migrate-dependabot-reviewers.sh chmod +x migrate-dependabot-reviewers.sh ./migrate-dependabot-reviewers.sh- Review, commit and push CODEOWNERS file
- bash shell (only requirement - available on all target platforms)
| Platform | Environment | Status | Notes |
|---|---|---|---|
| Linux | All distributions | ✅ Full | All shells and distributions |
| Windows | Git Bash | ✅ Full | Recommended for Windows |
| Windows | WSL/WSL2 | ✅ Full | All Linux distributions |
| Windows | Command Prompt | ✅ Limited | Requires bash in PATH |
| macOS | Terminal | ✅ Full | Works with default bash 3.2+ |
| Solaris | All versions | ✅ Full | Modern and traditional |
| FreeBSD | All versions | ✅ Full | All BSD variants |
| AIX | All versions | ✅ Full | Enterprise Unix |
./migrate-dependabot-reviewers.sh# Git Bash (Recommended) ./migrate-dependabot-reviewers.sh # WSL Ubuntu ./migrate-dependabot-reviewers.sh # Command Prompt (if bash is in PATH) bash migrate-dependabot-reviewers.sh # PowerShell (if bash is available) bash ./migrate-dependabot-reviewers.sh# Terminal (works with default bash 3.2) ./migrate-dependabot-reviewers.sh # With newer bash from Homebrew /usr/local/bin/bash ./migrate-dependabot-reviewers.sh# Modern Solaris ./migrate-dependabot-reviewers.sh # Traditional Solaris /usr/bin/bash ./migrate-dependabot-reviewers.shInput (dependabot.yml):
version: 2updates: - package-ecosystem: "npm"directory: "/frontend"reviewers: - "frontend-team" - "alice"schedule: interval: "weekly"Command:
./migrate-dependabot-reviewers.shOutput (CODEOWNERS):
# Dependabot reviewers (migrated from .github/dependabot.yml) /frontend/package.json @frontend-team @alice /frontend/package-lock.json @frontend-team @alice /frontend/npm-shrinkwrap.json @frontend-team @alice /frontend/yarn.lock @frontend-team @alice /frontend/pnpm-lock.yaml @frontend-team @alice Input (dependabot.yml):
version: 2updates: - package-ecosystem: "npm"directory: "/"reviewers: - "frontend-team" - package-ecosystem: "bundler"directory: "/api"reviewers: - "backend-team" - "senior-dev" - package-ecosystem: "docker"directory: "/containers"reviewers: - "devops-team" - package-ecosystem: "terraform"directory: "/infrastructure"reviewers: - "platform-team"Generated CODEOWNERS:
# Dependabot reviewers (migrated from .github/dependabot.yml) /*.gemspec @frontend-team /package.json @frontend-team /package-lock.json @frontend-team /api/Gemfile @backend-team @senior-dev /api/Gemfile.lock @backend-team @senior-dev /api/*.gemspec @backend-team @senior-dev /containers/Dockerfile @devops-team /containers/Dockerfile.* @devops-team /containers/*.dockerfile @devops-team /infrastructure/*.tf @platform-team /infrastructure/*.tfvars @platform-team /infrastructure/*.hcl @platform-team Problem: Script cannot find the dependabot configuration Solutions:
- Ensure you're in the repository root
- Check that
.github/dependabot.ymlexists - Verify file permissions
Problem: No reviewers sections in dependabot.yml Solutions:
- Add
reviewers:sections to your dependabot.yml - Verify YAML syntax is correct
- Check that updates have reviewers defined
# If bash not found where bash # Install Git for Windows or use WSL # Run with full path"C:\Program Files\Git\bin\bash.exe" migrate-dependabot-reviewers.sh# Check bash version bash --version # Use newer bash if available /usr/local/bin/bash ./migrate-dependabot-reviewers.sh# Use full path to bash /usr/bin/bash ./migrate-dependabot-reviewers.sh # Add to PATH if neededexport PATH="/usr/bin:$PATH"For users who prefer to migrate reviewers manually without using any scripts or automated tools, this section provides step-by-step instructions to convert your dependabot.yml reviewers to CODEOWNERS entries.
- Open your repository's
.github/dependabot.ymlfile - Create or open the
CODEOWNERSfile in one of these locations:CODEOWNERS(repository root).github/CODEOWNERSdocs/CODEOWNERS
Look for sections with reviewers in your dependabot.yml:
version: 2updates: - package-ecosystem: "npm"directory: "/frontend"reviewers: - "frontend-team" - "alice" - package-ecosystem: "bundler"directory: "/"reviewers: - "backend-team"For each package ecosystem, identify the specific manifest files it manages:
| Ecosystem | Manifest Files to Add to CODEOWNERS |
|---|---|
bundler | Gemfile, Gemfile.lock, *.gemspec |
npm | package.json, package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml |
cargo | Cargo.toml, Cargo.lock |
composer | composer.json, composer.lock |
docker | Dockerfile, Dockerfile.*, *.dockerfile |
pip | requirements.txt, requirements/*.txt, setup.py, setup.cfg, pyproject.toml, Pipfile, Pipfile.lock |
gomod | go.mod, go.sum |
gradle | build.gradle, build.gradle.kts, gradle.properties, settings.gradle, settings.gradle.kts |
maven | pom.xml, *.pom |
mix | mix.exs, mix.lock |
pub | pubspec.yaml, pubspec.yml, pubspec.lock |
swift | Package.swift, Package.resolved |
github-actions | .github/workflows/*.yml, .github/workflows/*.yaml, action.yml, action.yaml |
gitsubmodule | .gitmodules |
devcontainers | .devcontainer/devcontainer.json, .devcontainer.json |
nuget | *.csproj, *.fsproj, *.vbproj, *.sln, packages.config, Directory.Build.props, Directory.Packages.props |
dotnet-sdk | *.csproj, *.fsproj, *.vbproj, *.sln, packages.config, global.json |
terraform | *.tf, *.tfvars, *.hcl |
elm | elm.json |
helm | Chart.yaml, Chart.yml, values.yaml, values.yml |
Transform the directory value from dependabot.yml to CODEOWNERS patterns:
| dependabot.yml directory | CODEOWNERS pattern prefix |
|---|---|
"/" | / (root files) |
"/frontend" | /frontend/ |
"/api" | /api/ |
"backend" | /backend/ (add leading slash) |
Ensure all reviewers have the @ prefix:
"frontend-team"→@frontend-team"alice"→@alice"@already-formatted"→@already-formatted(no change)
Combine the directory path + manifest file + reviewers:
Formula:[directory]/[manifest-file] [reviewers...]
Given this dependabot.yml:
version: 2updates: - package-ecosystem: "npm"directory: "/frontend"reviewers: - "frontend-team" - "alice" - package-ecosystem: "bundler"directory: "/"reviewers: - "backend-team" - package-ecosystem: "docker"directory: "/api"reviewers: - "devops-team"Step-by-step conversion:
npm in /frontend with reviewers "frontend-team", "alice":
/frontend/package.json @frontend-team @alice /frontend/package-lock.json @frontend-team @alice /frontend/npm-shrinkwrap.json @frontend-team @alice /frontend/yarn.lock @frontend-team @alice /frontend/pnpm-lock.yaml @frontend-team @alicebundler in / with reviewers "backend-team":
/Gemfile @backend-team /Gemfile.lock @backend-team /*.gemspec @backend-teamdocker in /api with reviewers "devops-team":
/api/Dockerfile @devops-team /api/Dockerfile.* @devops-team /api/*.dockerfile @devops-team
Final CODEOWNERS file:
# Dependabot reviewers (migrated from .github/dependabot.yml) /*.gemspec @backend-team /Gemfile @backend-team /Gemfile.lock @backend-team /api/Dockerfile @devops-team /api/Dockerfile.* @devops-team /api/*.dockerfile @devops-team /frontend/package.json @frontend-team @alice /frontend/package-lock.json @frontend-team @alice /frontend/npm-shrinkwrap.json @frontend-team @alice /frontend/yarn.lock @frontend-team @alice /frontend/pnpm-lock.yaml @frontend-team @alice - Add a header comment to identify the Dependabot section
- Sort patterns logically: root files first, then by directory depth
- Test your patterns by creating a test file and checking GitHub's code owners
- Use consistent formatting with spaces between patterns and reviewers
- Missing @ prefix on reviewer names
- Incorrect glob patterns (use
*.extnot**.extfor single directory) - Wrong directory separators (use
/even on Windows) - Forgetting manifest files specific to each ecosystem
dependabot.yml:
- package-ecosystem: "npm"directories: - "/frontend" - "/admin" - "/mobile"reviewers: - "frontend-team"Manual CODEOWNERS entries:
/admin/package.json @frontend-team /admin/package-lock.json @frontend-team /frontend/package.json @frontend-team /frontend/package-lock.json @frontend-team /mobile/package.json @frontend-team /mobile/package-lock.json @frontend-team dependabot.yml:
- package-ecosystem: "docker"directory: "/"reviewers: - "devops-team"Manual CODEOWNERS entries:
/Dockerfile @devops-team /Dockerfile.* @devops-team /*.dockerfile @devops-team /**/Dockerfile @devops-team /**/Dockerfile.* @devops-team /**/*.dockerfile @devops-team dependabot.yml:
- package-ecosystem: "npm"directory: "/app"reviewers: - "frontend-team" - "alice" - "org/senior-devs"Manual CODEOWNERS entries:
/app/package.json @frontend-team @alice @org/senior-devs /app/package-lock.json @frontend-team @alice @org/senior-devs After manually creating your CODEOWNERS entries:
- All reviewer names have
@prefix - Directory paths start with
/ - Patterns match the correct manifest files for each ecosystem
- No duplicate entries for the same file
- Entries are sorted logically (root patterns first)
- File is saved in correct location (
CODEOWNERS,.github/CODEOWNERS, ordocs/CODEOWNERS)
Dependabot team
