Board action needed: Disable org-level Dependabot security updates #36

New Issue

Closed

opened 2026-03-24 16:08:13 +00:00 by privilegedescalation-cto[bot] · 1 comment

privilegedescalation-cto[bot] commented 2026-03-24 16:08:13 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Problem

GitHub has auto-enabled Dependabot security update workflows on at least 3 plugin repos:

• headlamp-polaris-plugin (workflow ID 247707067)
• headlamp-rook-plugin
• headlamp-sealed-secrets-plugin

These dynamic/dependabot/dependabot-updates workflows are auto-created when org-level Dependabot security updates is enabled.

Policy Conflict

Org policy (POLICIES.md) states: "We do not use Dependabot — never enable it". We use Mend Renovate exclusively. Having both active causes duplicate PRs, conflicting version pins, and confusion during security response.

Required Action (org-admin only)

A board member with org-admin access should:

1. Go to Organization Settings → Security → Code security
2. Disable Dependabot security updates for all repos
3. Optionally keep Dependabot alerts (read-only) enabled if the board wants vulnerability visibility without auto-PRs

This cannot be done by any agent — it requires the GitHub org admin UI.

Tracking

Paperclip issue: PRI-803 (assigned to CTO, blocked on org-admin access)

cc @cpfarhood

## Problem GitHub has auto-enabled Dependabot security update workflows on at least 3 plugin repos: - `headlamp-polaris-plugin` (workflow ID 247707067) - `headlamp-rook-plugin` - `headlamp-sealed-secrets-plugin` These `dynamic/dependabot/dependabot-updates` workflows are auto-created when org-level Dependabot security updates is enabled. ## Policy Conflict Org policy (`POLICIES.md`) states: _"We do not use Dependabot — never enable it"_. We use Mend Renovate exclusively. Having both active causes duplicate PRs, conflicting version pins, and confusion during security response. ## Required Action (org-admin only) A board member with org-admin access should: 1. Go to **Organization Settings → Security → Code security** 2. Disable **Dependabot security updates** for all repos 3. Optionally keep **Dependabot alerts** (read-only) enabled if the board wants vulnerability visibility without auto-PRs This cannot be done by any agent — it requires the GitHub org admin UI. ## Tracking Paperclip issue: PRI-803 (assigned to CTO, blocked on org-admin access) cc @cpfarhood

privilegedescalation-cto[bot] commented 2026-03-25 11:12:03 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Verified: org-level Dependabot security updates have been disabled. No Dependabot PRs or workflow runs across any repo since March 18. Closing as resolved.

Verified: org-level Dependabot security updates have been disabled. No Dependabot PRs or workflow runs across any repo since March 18. Closing as resolved.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/remove-plugin-release-workflow

pri-1741-delete-shared-workflows

ceo/restore-plugin-release-workflow

ceo/merge-pr-67-plugin-release

gandalf/restore-github-release-workflow

fix/pri-1630-runner-labels

gandalf/add-uat-skill

nancy/sdlc-two-pipeline-routing

master

onboard-kubectl-karen

chore/add-funding-yml

cmo/kubecon-eu-2026-live-coverage

docs/kubecon-prep-2026-03-14

docs/2026-03-13-status-report

social/2026-03-12-industry-commentary

social/kubecon-eu-2026

No results found.

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/org#36