Skip to content

Add dependabot for github actions#132

Merged
sgillies merged 2 commits into
rasterio:mainfrom
Rotzbua:feat_add_dependabot
Mar 9, 2026
Merged

Add dependabot for github actions#132
sgillies merged 2 commits into
rasterio:mainfrom
Rotzbua:feat_add_dependabot

Conversation

@Rotzbua

@Rotzbua Rotzbua commented Jan 4, 2026

Copy link
Copy Markdown
Contributor

Add dependabot to autoupdate github actions. Just run quarterly and merge all upgrades to a single pull request.

@Rotzbua Rotzbua force-pushed the feat_add_dependabot branch from d64803b to 91198e1 Compare January 4, 2026 14:31
Copilot AI review requested due to automatic review settings March 4, 2026 17:23
@Rotzbua Rotzbua force-pushed the feat_add_dependabot branch from 91198e1 to 89d20ed Compare March 4, 2026 17:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot configuration to keep GitHub Actions dependencies up to date on an automated schedule, bundling updates together via grouping.

Changes:

  • Add .github/dependabot.yml to enable Dependabot updates for the github-actions ecosystem.
  • Configure Dependabot to group all GitHub Actions updates into a single update group.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml
@sgillies

sgillies commented Mar 4, 2026

Copy link
Copy Markdown
Member

I'm not sure what's up with the automated Copilot review. I've not enabled this at the project or org level. Probably another symptom of Microsoft's poor stewardship of this site.

@sgillies sgillies left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mwtoews

mwtoews commented Mar 4, 2026

Copy link
Copy Markdown
Contributor

"cooldown" feature looks good. Maybe pick default-days: 17 because prime numbers are neat.

@sgillies sgillies left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, here's my suggestion.

Comment thread .github/dependabot.yml
@Rotzbua

Rotzbua commented Mar 5, 2026

Copy link
Copy Markdown
Contributor Author

The article is correct, but fails to mention the conditions: A hardened CI must already be in place in order to have an effect.

A hardened CI uses fixed versions or hashes and sets restrictive access rights. Neither of these is the case in the current GH workflows.

However, this is not necessary, as the workflows are only used for automated testing and do not have write or publish permissions.

I can add it, but it would not have the desired effect from a security perspective.

@sgillies sgillies merged commit a9fa7c9 into rasterio:main Mar 9, 2026
8 checks passed
@Rotzbua Rotzbua deleted the feat_add_dependabot branch March 11, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants