Add dependabot for github actions#132
Conversation
d64803b to
91198e1
Compare
91198e1 to
89d20ed
Compare
There was a problem hiding this comment.
Pull request overview
Adds a Dependabot configuration to keep GitHub Actions dependencies up to date on an automated schedule, bundling updates together via grouping.
Changes:
- Add
.github/dependabot.ymlto enable Dependabot updates for thegithub-actionsecosystem. - Configure Dependabot to group all GitHub Actions updates into a single update group.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I'm not sure what's up with the automated Copilot review. I've not enabled this at the project or org level. Probably another symptom of Microsoft's poor stewardship of this site. |
sgillies
left a comment
There was a problem hiding this comment.
@Rotzbua @mwtoews what do you think about a 1-week cooldown? See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
|
"cooldown" feature looks good. Maybe pick |
|
The article is correct, but fails to mention the conditions: A hardened CI must already be in place in order to have an effect. A hardened CI uses fixed versions or hashes and sets restrictive access rights. Neither of these is the case in the current GH workflows. However, this is not necessary, as the workflows are only used for automated testing and do not have write or publish permissions. I can add it, but it would not have the desired effect from a security perspective. |
Add dependabot to autoupdate github actions. Just run quarterly and merge all upgrades to a single pull request.