Exclude codeowners from dependabot PR

Question

We use a codeowners file to automatically assign reviews to Pull Requests. We also have Dependabot creating PRs for major versions.

We do not want to automatically add reviews to the PRs created by Dependabot. According to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax it is not possible to use ! to exclude.

Is there a way to:

• Use codeowners for all PRs created but users
• Not assign reviewers on PRs create by Dependabot

Thanks!

I have read the documentation for Codeowners file, and for Dependabot. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#setting-reviewers-and-assignees

We do not use any reviews in the Dependabot action.

Answer 1

Using @andreas-olsson's comment, this is what I set up in the CODEOWNERS file.

This is slightly imperfect, as it means that if a real user only makes a change to a package.json file and no other files, the codeowners will not get notified of that PR. However, there is currently no better solution.

# All files are by default owned by this team,
# unless a more specific ownership rule is set below.
* @my-dev-team-name

# Don't automatically assign reviewers on PRs that only modify these files.
# As they have no owner listed, these files are not owned by anyone.
package.json
package-lock.json

Check out the CODEOWNERS syntax docs if you need help modifying this to fit your file structure (the above solution assumes that the package files are in the root directory).