Document update-types support in allow block for dependabot.yml (#60517)

Co-authored-by: kbukum1 <kbukum1@github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>

Author: 3 people

content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated.md

@@ -133,7 +133,7 @@ For more information, see `allow` in [AUTOTITLE](/code-security/dependabot/worki
 By default, {% data variables.product.prodname_dependabot %} creates version update pull requests only for the dependencies that are explicitly defined in a manifest (`direct` dependencies). This configuration uses `allow` to tell {% data variables.product.prodname_dependabot %} that we want it to maintain `all` types of dependency. That is, both the `direct` dependencies and their dependencies (also known as indirect dependencies, sub-dependencies, or transient dependencies). In addition, the configuration tells {% data variables.product.prodname_dependabot %} to ignore all dependencies with a name matching the pattern `org.xwiki.*` because we have a different process for maintaining them.
 
 > [!TIP]
-> {% data variables.product.prodname_dependabot %} checks for all **allowed** dependencies, then filters out any **ignored** dependencies. If a dependency is matched by an **allow** and an **ignore** statement, then it is ignored.
+> {% data variables.product.prodname_dependabot %} checks for all **allowed** dependencies, then filters out any **ignored** dependencies. If a dependency is matched by an **allow** and an **ignore** statement, then it is ignored.{% ifversion dependabot-allow-update-types %} You can also use `update-types` in `allow` rules to restrict updates to specific semantic versioning levels.{% endif %}
 
 ```yaml copy
 version: 2
@@ -167,6 +167,58 @@ updates:
     open-pull-requests-limit: 15
 ```
 
+{% ifversion dependabot-allow-update-types %}
+
+## Allowing specific semantic versioning levels for updates
+
+You can use `update-types` with `allow` to restrict updates to specific semantic versioning (SemVer) levels. This is useful when you want to be explicit about which types of updates Dependabot should create pull requests for.
+
+> [!NOTE]
+> `update-types` only affects _version_ updates, not _security_ updates. Security updates will always be created regardless of the `update-types` setting.
+
+For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-allow).
+
+Here are some examples showing how `update-types` can be used with `allow`.
+
+* To allow only minor and patch updates for a specific dependency, you can combine `update-types` with `dependency-name`.
+
+   ```yaml copy
+   version: 2
+   updates:
+     - package-ecosystem: "maven"
+       directory: "/"
+       schedule:
+         interval: "weekly"
+       allow:
+         - dependency-name: "io.micrometer:micrometer-core"
+           update-types:
+             - "version-update:semver-minor"
+             - "version-update:semver-patch"
+   ```
+
+* To apply different update policies for production and development dependencies, you can combine `update-types` with `dependency-type`.
+
+   ```yaml copy
+   version: 2
+   updates:
+     - package-ecosystem: "composer"
+       directory: "/"
+       schedule:
+         interval: "monthly"
+       allow:
+         - dependency-type: "production"
+           update-types:
+             - "version-update:semver-patch"
+         - dependency-type: "development"
+           update-types:
+             - "version-update:semver-minor"
+             - "version-update:semver-patch
+   ```
+
+  In this example, production dependencies will only receive patch updates, while development dependencies will receive both minor and patch updates.
+
+{% endif %}
+
 ## Ignoring specific versions or ranges of versions
 
 You can use `versions` in conjunction with `ignore` to ignore specific versions or ranges of versions.
@@ -201,7 +253,8 @@ For more information, see `versions` in [AUTOTITLE](/code-security/dependabot/wo
 
 ## Specifying the semantic versioning level to ignore
 
-You can specify one or more semantic versioning (SemVer) levels to ignore using `update-types`.
+
+You can specify one or more semantic versioning (SemVer) levels to ignore using `update-types` with `ignore`.{% ifversion dependabot-allow-update-types %} Alternatively, you can use `update-types` with `allow` to explicitly specify which update levels to allow, see [Allowing specific semantic versioning levels for updates](#allowing-specific-semantic-versioning-levels-for-updates).{% endif %}
 
 For more information, see `update-types` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#update-types-ignore).
 

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -81,6 +81,9 @@ When `allow` is specified {% data variables.product.prodname_dependabot %} uses
 |------------|---------|
 | `dependency-name` | Allow updates for dependencies with matching names, optionally using `*` to match zero or more characters. |
 | `dependency-type` | Allow updates for dependencies of specific types. |
+| {% ifversion dependabot-allow-update-types %} |
+| `update-types` | Allow updates to one or more semantic versioning levels. Supported values: `version-update:semver-patch`, `version-update:semver-minor`, and `version-update:semver-major`. |
+| {% endif %} |
 
 ### `dependency-name` (`allow`)
 
@@ -101,6 +104,26 @@ For most package managers, you should define a value that will match the depende
 | `production` | `bundler`, `composer`, `mix`, `maven`, `npm`, `pip`{% ifversion dependabot-uv-support %}, `uv`{% endif %} (not all managers) | Only to dependencies defined by the package manager as production dependencies. |
 | `development`| `bundler`, `composer`, `mix`, `maven`, `npm`, `pip`{% ifversion dependabot-uv-support %}, `uv`{% endif %} (not all managers) | Only to dependencies defined by the package manager as development dependencies. |
 
+{% ifversion dependabot-allow-update-types %}
+
+### `update-types` (`allow`)
+
+`update-types` only affects _version_ updates, not _security updates_.
+
+Specify which semantic versions (SemVer) to allow.
+
+SemVer is an accepted standard for defining versions of software packages, in the form `x.y.z`. {% data variables.product.prodname_dependabot %} assumes that versions in this form are always `major.minor.patch`. The `update-types` value is a list of one or more strings.
+
+* Use `version-update:semver-patch` to allow patch releases.
+* Use `version-update:semver-minor` to allow minor releases.
+* Use `version-update:semver-major` to allow major releases.
+
+When `update-types` is omitted from an `allow` rule, all update types are allowed for that rule.
+
+You can combine `update-types` with `dependency-name` or `dependency-type` to further narrow allowed updates. For examples of how you can combine these options, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/controlling-dependencies-updated#allowing-specific-semantic-versioning-levels-for-updates).
+
+{% endif %}
+
 ## `assignees` {% octicon "versions" aria-label="Version updates" height="24" %} {% octicon "shield-check" aria-label="Security updates" height="24" %}
 
 Specify individual assignees for all pull requests raised for a package ecosystem.  For examples, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs).
@@ -351,7 +374,7 @@ When `ignore` is used {% data variables.product.prodname_dependabot %} uses the
 |------------|---------|
 | `dependency-name` | Ignore updates for dependencies with matching names, optionally using `*` to match zero or more characters. |
 | `versions` | Ignore specific versions or ranges of versions. |
-| `update-types` | Ignore updates to one or more semantic versioning levels. Supported values: `version-update:semver-minor`, `version-update:semver-patch`, and `version-update:semver-major`. |
+| `update-types` | Ignore updates to one or more semantic versioning levels. Supported values: `version-update:semver-patch`, `version-update:semver-minor`, and `version-update:semver-major`. |
 
 ### `dependency-name` (`ignore`)
 

data/features/dependabot-allow-update-types.yml

@@ -0,0 +1,7 @@
+# References:
+# Issue docs-content#21952 - Document update-types support in allow block
+# Core: https://github.com/dependabot/dependabot-core/pull/12925
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.21'