chore: Included githubactions in the dependabot config #2206
Conversation
This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure. Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
|
Interesting, I didn't know this was an option. Questions:
|
With this change dependabot would open PR’s for out of sync actions. To answer your second question when dependabot opens the PR it will show the diffs in code and release note which can help you decide whether or not to update. Hope this helps. Thanks |
Yes. The only two we have...
The idea here is more about having the bumping PR, the actual decision on accepting is still ours, as @naveensrinivasan said. EDIT: Even if it looks like, I'm not very strong about this PR... I don't think there's much benefit, but it's a good thing... |
In the future, if you add any workflows this will keep it updated. I'll let you decide. 👍 |
This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.
Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot
GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool
Signed-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com