[Ready for merging - 2023-01-12] - Pausing / unpausing Dependabot updates and related notifications (#33379)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Erin Havens <erinhav@github.com>
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>

content/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates.md

@@ -69,6 +69,13 @@ When you merge a pull request that contains a security update, the corresponding
 
 {% endif %}
 
+{% ifversion dependabot-updates-paused %}
+## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %}
+
+{% data reusables.dependabot.automatically-pause-dependabot-updates %}
+
+{% endif %}
+
 ## About notifications for {% data variables.product.prodname_dependabot %} security updates
 
 You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#dependabot-custom-filters)."

content/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates.md

@@ -67,6 +67,13 @@ You can configure version updates for repositories that contain a dependency man
 
 If your repository already uses an integration for dependency management, you will need to disable this before enabling {% data variables.product.prodname_dependabot %}. {% ifversion fpt or ghec %}For more information, see "[About integrations](/github/customizing-your-github-workflow/about-integrations)."{% endif %}
 
+{% ifversion dependabot-updates-paused %}
+## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %}
+
+{% data reusables.dependabot.automatically-pause-dependabot-updates %}
+
+{% endif %}
+
 ## About notifications for {% data variables.product.prodname_dependabot %} version updates
 
 You can filter your notifications on {% data variables.product.company_short %} to show notifications for pull requests created by {% data variables.product.prodname_dependabot %}. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox)."

content/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates.md

@@ -32,6 +32,16 @@ When {% data variables.product.prodname_dependabot %} raises a pull request, you
 
 If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)."
 
+{% ifversion dependabot-updates-paused %}
+
+{% note %}
+
+**Note**: If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic deactivation-of-dependabot-updates)" and "[About {% data variables.product.prodname_dependabot_security_updates %}]((/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic deactivation-of-dependabot-updates)."
+
+{% endnote %}
+
+{% endif %}
+
 ## Viewing {% data variables.product.prodname_dependabot %} pull requests
 
 {% data reusables.repositories.navigate-to-repo %}

content/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors.md

@@ -34,6 +34,14 @@ topics:
 
 If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error.
 
+{% ifversion dependabot-updates-paused %}
+{% note %}
+
+**Note:** {% data variables.product.prodname_dependabot %} doesn't create pull requests for inactive repositories. For information about inactivity criteria, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates)" and "[About {% data variables.product.prodname_dependabot_version_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates)," for security and version updates, respectively. 
+
+{% endnote %}
+{% endif %}
+
 ## Investigating errors with {% data variables.product.prodname_dependabot_security_updates %}
 
 When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.

data/features/dependabot-updates-paused.yml

@@ -0,0 +1,6 @@
+# Reference: Issue #8300 - Dependabot: automatic, rolling opt-out for inactivity (Version updates, Security updates) - [GA]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.8'
+  ghae: '>3.8'

data/reusables/dependabot/automatically-pause-dependabot-updates.md

@@ -0,0 +1,19 @@
+When maintainers of a repository stop interacting with {% data variables.product.prodname_dependabot %} pull requests, {% data variables.product.prodname_dependabot %} temporarily pauses its updates and lets you know. This automatic opt-out behavior reduces noise because {% data variables.product.prodname_dependabot %} doesn't create pull requests for version and security updates, and doesn't rebase {% data variables.product.prodname_dependabot %} pulls requests for inactive repositories.
+
+The automatic deactivation of {% data variables.product.prodname_dependabot %} updates only applies to repositories where {% data variables.product.prodname_dependabot %} has opened pull requests but the pull requests remain untouched. If {% data variables.product.prodname_dependabot %} hasn't opened any pull requests, {% data variables.product.prodname_dependabot %} will never become paused.
+
+An active repository is a repository for which a user (not {% data variables.product.prodname_dependabot %}) has carried out _any_ of the actions below in the last 90 days:
+
+- Merge or close a {% data variables.product.prodname_dependabot %} pull request on the repository.
+- Make a change to the *dependabot.yml* file for the repository.
+- Manually trigger a security update or a version update.
+- Enable {% data variables.product.prodname_dependabot_security_updates %} for the repository.
+- Use `@dependabot` commands on pull requests.
+
+An inactive repository is a repository that has at least one {% data variables.product.prodname_dependabot %} pull request open for more than 90 days, has been enabled for the full period, and where none of the actions listed above has been taken by a user.
+
+When {% data variables.product.prodname_dependabot %} is paused, {% data variables.product.prodname_dotcom %} adds a notice to the body of all open {% data variables.product.prodname_dependabot %} pull requests, and assigns a `dependabot-paused` label to these pull requests. You'll also see a banner notice in the UI of the **Settings** tab of the repository (under **Code security and analysis**, then **{% data variables.product.prodname_dependabot %}**), as well in the list of {% data variables.product.prodname_dependabot_alerts %} (if {% data variables.product.prodname_dependabot_security_updates %} are affected).
+
+As soon as a maintainer interacts with a {% data variables.product.prodname_dependabot %} pull request again, {% data variables.product.prodname_dependabot %} will unpause itself:
+- Security updates are automatically resumed for {% data variables.product.prodname_dependabot_alerts %}.
+- Version updates are automatically resumed with the schedule specified in the *dependabot.yml* file.