rich icon indicating copy to clipboard operation
rich copied to clipboard
verified publisher icon Textualize

chore: Included githubactions in the dependabot config

Open naveensrinivasan opened this issue 3 years ago • 2 comments

This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.

Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot

GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: naveensrinivasan [email protected]

naveensrinivasan avatar May 06 '22 01:05 naveensrinivasan

I would recommend ignoring minor updates in the official actions, otherwise this would become annoying. Something like this:

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    ignore:
      # Official actions have moving tags like v1
      - dependency-name: "actions/*"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

See https://scikit-hep.org/developer/gha_basic#updating or various repositories like pypa/cibuildwheel.

henryiii avatar May 06 '22 19:05 henryiii 

ignore:
      # Official actions have moving tags like v1
      - dependency-name: "actions/*"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

Updated it! PTAL Thanks

naveensrinivasan avatar May 07 '22 01:05 naveensrinivasan

Don't understand this one. If you think its needed please reopen with a tl;dr explanation.

willmcgugan avatar Sep 19 '22 09:09 willmcgugan