github · docs-bot · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025 · Mar 25, 2025
diff --git a/.github/workflows/ready-for-doc-review.yml b/.github/workflows/ready-for-doc-review.yml
@@ -43,57 +43,6 @@ jobs:
             echo "AUTHOR_LOGIN=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV
           fi
 
-      # Check if the PR is connected to an issue that has the DIY docs label. The grep command parses through the PR description to find issue numbers that are linked in the PR description. The GitHub CLI command then checks if the issue exists in the docs-content repo, then checks if the linked docs-content issues have the DIY docs label. If the linked issues have the DIY docs label, the DIY_DOCS_LABEL environment variable is set to true.
-      - name: Check if PR is connected to DIY docs issue
-        if: github.repository == 'github/docs-internal'
-        id: check-diy-docs
-        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
-        run: |
-          echo "Extracting issue numbers from PR description..."
-
-          # Get issue numbers directly using gh pr view
-          ISSUE_NUMS=$(gh pr view ${{ github.event.pull_request.number }} --json body -q .body | \
-            grep -oE '(https://github.com/github/docs-content/issues/[0-9]+|github/docs-content#[0-9]+|#[0-9]+)' | \
-            grep -oE '[0-9]+$' || echo "")
-          echo "Extracted docs-content issue numbers: $ISSUE_NUMS"
-
-          if [ -n "$ISSUE_NUMS" ]; then
-            for ISSUE_NUM in $ISSUE_NUMS; do
-              echo "Checking issue #$ISSUE_NUM in the docs-content repository..."
-              if gh issue view $ISSUE_NUM --repo github/docs-content --json labels -q '.labels[].name' | grep -q 'DIY docs'; then
-                echo "DIY docs label found for issue #$ISSUE_NUM."
-                echo "DIY_DOCS_LABEL=true" >> $GITHUB_ENV
-                break
-              else
-                echo "Issue #$ISSUE_NUM exists but does not have the DIY docs label."
-              fi
-            done
-          else
-            echo "No DIY docs issues found in the PR description."
-          fi
-
-      # Debug step to confirm environment variables are set correctly
-      - name: Debug environment variables
-        run: |
-          echo "Current environment variables:"
-          echo "DIY_DOCS_LABEL: $DIY_DOCS_LABEL"
-          echo "Repository: ${{ github.repository }}"
-
-      # If the PR description contains a link to a DIY docs issue, add the DIY docs label to the PR.
-      - name: Add the DIY docs label if connected to a DIY docs issue
-        if: ${{ env.DIY_DOCS_LABEL == 'true' }} && github.repository == 'github/docs-internal'
-        env:
-          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: |
-          # Debugging output
-          echo "Condition check:"
-          echo "DIY_DOCS_LABEL is: $DIY_DOCS_LABEL"
-          echo "github.repository is: ${{ github.repository }}"
-          echo "Adding the DIY docs label..."
-          gh pr edit $PR_URL --add-label 'DIY docs'
-
       - name: Run script
         run: |
           npm run ready-for-docs-review

diff --git a/...ecurity/understanding-your-software-supply-chain/about-supply-chain-security.md b/...ecurity/understanding-your-software-supply-chain/about-supply-chain-security.md
@@ -39,7 +39,7 @@ The supply chain features on {% data variables.product.github %} are:
   * **{% data variables.product.prodname_dependabot_security_updates %}**
   * **{% data variables.product.prodname_dependabot_version_updates %}**
 
-The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.
+The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. Your repository’s dependency graph tracks and displays its dependencies and some of their properties, like vulnerability information.
 
 Other supply chain features on {% data variables.product.prodname_dotcom %} rely on the information provided by the dependency graph.
 
@@ -53,20 +53,21 @@ For best practice guides on end-to-end supply chain security including the prote
 
 ## Feature overview
 
-### What is the dependency graph
+### What is the dependency graph?
 
 To generate the dependency graph, {% data variables.product.company_short %} looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions.
 
 * The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies.
 * The dependency graph is automatically updated when you push a commit to {% data variables.product.company_short %} that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
+* The dependency graph can also include information you provide as your project is building using {% data variables.product.prodname_actions %}. Some package ecosystems pull in most of their transitive dependencies at build time, so submitting dependency information as the build is happening provides a more complete view of the supply chain.
 * You can see the dependency graph by opening the repository's main page on {% data variables.product.github %}, and navigating to the **Insights** tab.
 * {% data reusables.dependency-graph.sbom-export %}
 
 {% data reusables.dependency-submission.dependency-submission-link %}
 
 For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-### What is dependency review
+### What is dependency review?
 
 Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request.
 
@@ -75,9 +76,9 @@ Dependency review helps reviewers and contributors understand dependency changes
 
 For more information about dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).
 
-### What is Dependabot
+### What is Dependabot?
 
-{% data variables.product.prodname_dependabot %} keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a {% data variables.product.prodname_dependabot %} alert is triggered, or to the latest version when a release is published.
+{% data variables.product.prodname_dependabot %} keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies and automatically opening pull requests to upgrade your dependencies. {% data variables.product.prodname_dependabot %} pull requests will target the next available secure version when a {% data variables.product.prodname_dependabot %} alert is triggered, or to the latest version when a release is published.
 
 The term "{% data variables.product.prodname_dependabot %}" encompasses the following features:
 * {% data variables.product.prodname_dependabot_alerts %}: Displayed notification on the **Security** tab for the repository, and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version.
@@ -103,7 +104,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep
 
 {% data reusables.dependabot.dependabot-actions-support %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates).
 
-#### What are Dependabot alerts
+#### What are Dependabot alerts?
 
 {% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities.
 
@@ -116,7 +117,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep
 
 For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
 
-#### What are Dependabot updates
+#### What are Dependabot updates?
 
 There are two types of {% data variables.product.prodname_dependabot_updates %}: {% data variables.product.prodname_dependabot %} _security_ updates and _version_ updates. {% data variables.product.prodname_dependabot %} generates automatic pull requests to update your dependencies in both cases, but there are several differences.
 

diff --git a/...supply-chain/configuring-automatic-dependency-submission-for-your-repository.md b/...supply-chain/configuring-automatic-dependency-submission-for-your-repository.md
@@ -19,9 +19,9 @@ topics:
 > [!NOTE]
 > Automatic dependency submission is currently only supported for Maven.
 
-Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the dependencies that the repository depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and {% data variables.product.company_short %} isn't able to automatically discover all dependencies based on the contents of the repository alone.
+Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the upstream packages that their software project depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and {% data variables.product.company_short %} isn't able to automatically discover all dependencies based on the contents of the repository alone.
 
-When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository and will submit these dependencies to {% data variables.product.company_short %} using the {% data variables.dependency-submission-api.name %}. You can then report on these dependencies using the dependency graph.
+When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository and will submit these dependencies to {% data variables.product.company_short %} using the {% data variables.dependency-submission-api.name %}. You can then explore these dependencies using the dependency graph. {% data variables.product.prodname_dependabot %} will notify you about security updates for these dependencies by generating {% data variables.product.prodname_dependabot_alerts %} .
 
 Using automatic dependency submission counts toward your {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions).
 
@@ -83,6 +83,8 @@ Automatic dependency submission is currently only supported for Maven. The featu
 
 Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables).
 
+If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
+
 ## Further reading
 
 * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)

diff --git a/...anding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md b/...anding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md
@@ -29,9 +29,7 @@ The dependency graph shows the dependencies{% ifversion fpt or ghec %} and depen
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.accessing-repository-graphs %}
 {% data reusables.repositories.click-dependency-graph %}
-1. Optionally, use the search bar to find a specific dependency or set of dependencies.
-
-   >[!NOTE] The search bar only searches based on the package name.
+1. Optionally, use the search bar to find a specific dependency or set of dependencies. You can use the keywords `ecosystem:` to show only packages of a certain type, or `relationship:` to show only direct or transitive dependencies (if the ecosystem supports transitivity). Plain words in search bar will only match package names.
 
 {% ifversion fpt or ghec %}
 
@@ -50,14 +48,14 @@ Enterprise owners can configure the dependency graph at an enterprise level. For
 ### Dependencies view
 
 {% ifversion fpt or ghec %}
-For each dependency, you can see its ecosystem, the manifest file in which it was found, and the license (where detected).
+For each dependency, you can see its ecosystem, the manifest file in which it was found, and its license (where detected).
 
 * Dependencies for private repositories, private packages, or unrecognized files are shown in plain text.
 * If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information.
 * You can sort and filter dependencies by typing filters as `key:value` pairs into the search bar.
 
     * Use `ecosystem: <ecosystem-name>` to display dependencies for the selected ecosystem.{% ifversion transitive-dependency-labeling-npm %}
-    * **For npm only.** Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status.{% endif %}
+    * Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status. This filter is only available for ecosystems with transitive dependency support. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems) for more information.{% endif %}
 
 {% endif %}
 
@@ -109,17 +107,9 @@ The "Used by" section represents a single package from the repository. If you ha
 
 {% endif %}
 
-## Troubleshooting the dependency graph
-
-If your dependency graph is empty, there may be a problem with the file containing your dependencies. Check the file to ensure that it's correctly formatted for the file type.
-
-{% ifversion fpt or ghec %}
-If the file is correctly formatted, then check its size. The dependency graph ignores individual manifest and lock files that are over 1.5 Mb, unless you are a {% data variables.product.prodname_enterprise %} user. It processes up to 150 manifest or lock files per repository by default, so you can split dependencies into smaller files in subdirectories of the repository.{% endif %}
-
-If a manifest or lock file is not processed, its dependencies are omitted from the dependency graph and they can't be checked for insecure dependencies.
-
 ## Further reading
 
+* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph)
 * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)
 * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts){% ifversion ghec %}
 * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){% endif %}{% ifversion fpt or ghec %}