docs: add Dependabot support reference documentation

[Copilot]

The --dependabot flag generates dependency manifests from workflow commands (npx, pip install, go install), enabling Dependabot to track outdated tools. Users need guidance on the proper fix workflow: edit source .md files and recompile, not merge manifest changes directly.

Changes

• New reference page (docs/src/content/docs/reference/dependabot.md)

  • Concise reference (80 lines, 73% reduction from initial draft)
  • Manifest generation for npm, pip, and Go ecosystems
  • Generated files: package.json, package-lock.json, requirements.txt, go.mod, dependabot.yml
  • Proper fix workflow: source workflow updates → recompilation → Dependabot auto-closes
  • Generic AI agent prompt template for handling Dependabot PRs
  • Troubleshooting table with common issues and solutions

• CLI documentation enhancement (docs/src/content/docs/setup/cli.md)

  • Expanded compile --dependabot description with cross-reference

Critical Workflow

When Dependabot opens a PR updating manifests:

# 1. Find affected workflows
grep -r "@playwright/test@1.41.0" .github/workflows/*.md

# 2. Update workflow source (not manifests)
# Change: npx @playwright/test@1.41.0
# To:     npx @playwright/test@1.42.0

# 3. Regenerate manifests
gh aw compile --dependabot

# 4. Commit (Dependabot auto-closes its PR)
git add .github/workflows/
git commit -m "chore: update @playwright/test to 1.42.0"

This prevents manifest drift and maintains the markdown workflows as the single source of truth.

[!WARNING]

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

Original prompt

Add a reference documentation for the dependabot support in the compile command .

It generates manifest of the runtime dependencies in actions which can be used to detect outdated tools in actions.

Dependabot opens PRs like this #13785

The proper way to fix these PRs is to edit the agentic workflows markfown and recompile. The manifest files will be regenerated and dependabot will close its PR

The doc page should have an example of generic prompt to help with this task.

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot remove bloat. See unbloat.md

[Copilot]

@copilot remove bloat. See unbloat.md

Removed bloat from dependabot.md following unbloat-docs.md guidelines. Reduced from 302 lines to 80 lines (73% reduction) while preserving all essential information. Changes in commit bd8a8c5.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds reference documentation for gh aw compile --dependabot so users understand how dependency manifests are generated from workflow commands and how to properly resolve Dependabot PRs without introducing manifest drift.

Changes:

• Adds a new “Dependabot Support” reference page documenting generated manifests, recommended PR-fix workflow, and troubleshooting.
• Expands the compile command documentation to describe --dependabot and link to the new reference page.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
docs/src/content/docs/setup/cli.md	Adds --dependabot integration blurb and cross-reference to the new reference page.
docs/src/content/docs/reference/dependabot.md	New reference page describing how Dependabot manifests/config are generated and how to handle Dependabot PRs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This description implies --dependabot always generates manifests and only scans go install. In reality, manifest generation is skipped when no dependencies are detected, and Go dependencies are extracted from both go install and go get. Consider updating this sentence to reflect the conditional behavior and include go get (and optionally mention package-lock.json since it is also generated for npm).

Suggested change

**Dependabot Integration (`--dependabot`):** Automatically generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`) and `.github/dependabot.yml` configuration by analyzing runtime tools (`npx`, `pip install`, `go install`) used across all workflows. This enables Dependabot to detect and update outdated dependencies. See [Dependabot Support reference](/gh-aw/reference/dependabot/) for details on handling Dependabot PRs.

**Dependabot Integration (`--dependabot`):** When dependencies are detected, automatically generates dependency manifests (`package.json` + `package-lock.json`, `requirements.txt`, `go.mod`) and `.github/dependabot.yml` configuration by analyzing runtime tools (`npx`, `pip install`, `go install`, `go get`) used across all workflows. This enables Dependabot to detect and update outdated dependencies. See [Dependabot Support reference](/gh-aw/reference/dependabot/) for details on handling Dependabot PRs.

[Copilot]

The runtime tool list is incomplete. The implementation extracts Go dependencies from both go install and go get (see RequiredSubcommands: ["install", "get"]), so the doc should mention go get as well.

Suggested change

	The `gh aw compile --dependabot` command scans workflows for runtime tools (`npx`, `pip install`, `go install`), generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`), and configures Dependabot to monitor for updates
	The `gh aw compile --dependabot` command scans workflows for runtime tools (`npx`, `pip install`, `go install`, `go get`), generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`), and configures Dependabot to monitor for updates

[Copilot]

Missing period at the end of this sentence.

Suggested change

	The `gh aw compile --dependabot` command scans workflows for runtime tools (`npx`, `pip install`, `go install`), generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`), and configures Dependabot to monitor for updates
	The `gh aw compile --dependabot` command scans workflows for runtime tools (`npx`, `pip install`, `go install`), generates dependency manifests (`package.json`, `requirements.txt`, `go.mod`), and configures Dependabot to monitor for updates.