Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Add a Dependabot config to auto-update GitHub action versions #3437

Merged
merged 1 commit into from
Jun 18, 2024

Conversation

kurtmckee
Copy link
Contributor

@kurtmckee kurtmckee commented Jun 17, 2024

Currently, deprecation warnings are being thrown due to actions using out-of-date Node versions (recent example). Rather than submitting a PR to update them manually, this PR configures Dependabot to regularly submit PRs to update GitHub action versions as needed.

If this PR merges, you can expect Dependabot to immediately submit a PR to update actions to newer versions.

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
@dangotbanned
Copy link
Member

@kurtmckee I'd really appreciate this.

Some more examples of manual updates I've been doing since starting to work on altair:
60b40a5 (#3431)
237079f (#3431)

@mattijn
Copy link
Contributor

mattijn commented Jun 18, 2024

Thanks for this PR! Very useful!

Quick question, the CI of current PR still shows the node warnings:

image

Updating dependencies of GitHub action will only happen after this PR is merged?

@dangotbanned
Copy link
Member

Updating dependencies of GitHub action will only happen after this PR is merged?

@mattijn https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

Seems to need to be on main

@kurtmckee
Copy link
Contributor Author

@mattijn If this merges to main you can expect Dependabot to open a PR immediately. The warnings in the screenshot you posted should be resolved by updating to the latest version of actions/checkout and actions/setup-python, and the Dependabot config will make sure Dependabot keeps these updated as new versions are released.

For example, here's a representative PR from Dependabot on one of my projects:

kurtmckee/chipshot#44

@mattijn
Copy link
Contributor

mattijn commented Jun 18, 2024

Ok! Thanks for the clarification!

@mattijn mattijn merged commit 596b282 into vega:main Jun 18, 2024
12 checks passed
@kurtmckee kurtmckee deleted the add-dependabot-for-actions branch June 18, 2024 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants