Dependabot grouped security update PRs ignore labels from dependabot.yml

[gediminas-nenius]

Hi everyone 👋

I’m running into what looks like either a Dependabot limitation or a bug related to grouped security update pull requests not receiving labels, even though labels are clearly configured in dependabot.yml.

Context

• Repository uses Dependabot version updates
• Security updates are enabled
• Dependencies are grouped using the groups feature
• Groups are limited to security updates only via applies-to: security-updates
• Labels are configured at the update level

Here is a simplified excerpt of the configuration:

version: 2

updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "04:00"
    labels:
      - "my-teams-backend-dependabot"
      - "dependencies"
    ignore:
      - dependency-name: "*"
        update-types:
          - "version-update:semver-major"
          - "version-update:semver-minor"
          - "version-update:semver-patch"
    groups:
      spring:
        applies-to: security-updates
        patterns:
          - "org.springframework*"

Observed behavior

• ✅ Dependabot does create grouped security update PRs
• ❌ No labels are applied to those PRs
• ❌ The labels: field at the update level is ignored
• ❌ There is no way to define labels at the groups.* level

This only affects security update PRs.
Regular (non-security) Dependabot PRs do receive labels as expected.

Expected behavior

One of the following would be expected:

1. Grouped security PRs inherit labels from the parent updates entry, or
2. Ability to define labels per group, e.g.:

groups:
  spring:
    labels:
      - "spring"
      - "security"

Why this matters

In larger organizations, labels are critical for:

• Routing PRs to the correct team
• Applying branch protection or automation
• Dashboards and metrics
• Auto-merge rules

Grouped security PRs without labels are hard to triage and break existing workflows.

Questions

• Is this known behavior or a confirmed limitation?
• Is this intentional, or is it a bug?
• Are there any workarounds (e.g. GitHub Actions reacting to Dependabot PRs)?
• Are labels for grouped security PRs on the roadmap?

Thanks in advance 🙏

[x1-xh]

This warning is due to a recent change in how GitHub Actions validates expressions.

Expressions must now be fully contained inside a single ${{ }} block. Mixing literal text with ${{ }} inside an if: condition is no longer considered valid and triggers the warning because it will always evaluate as truthy.

So this form is now discouraged:

if: endsWith(${{ needs.precheck.outputs.version }}, '-SNAPSHOT')

The correct and recommended form is:

if: ${{ endsWith(needs.precheck.outputs.version, '-SNAPSHOT') }}

This is not a breaking change in behavior, just stricter syntax validation to prevent subtle logic bugs. Updating conditions this way will silence the warning and keep workflows future-proof.

---

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬