flatbuffers icon indicating copy to clipboard operation
flatbuffers copied to clipboard
verified publisher icon google

Enable Dependabot for GitHub Actions

Open kou opened this issue 1 month ago • 4 comments

Our workflows use old GitHub Actions. For example, we use actions/checkout@v3 but actions/checkout@v5 is the latest version:

https://github.com/google/flatbuffers/blob/599847236c35fa3802ea4e46e20e93a55d3a4a94/.github/workflows/build.yml#L33

https://github.com/actions/checkout/releases

How about enabling Dependabot? If we enable Dependabot, Dependabot opens PRs that update old GitHub Actions.

Dependabot document: https://docs.github.com/en/code-security/dependabot

Dependabot configuration document: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference

kou avatar Nov 14 '25 09:11 kou

@bjornharrtell I noticed you were interacting with dependabot recently, is this something you could comment on?

jtdavis777 avatar Nov 25 '25 12:11 jtdavis777

@jtdavis777 not sure what you mean with interacting, it wasn't concious. :) That said, I don't see why not... except that flatbuffers as a project seem to lack maintainers/time, so it might increase burden.

bjornharrtell avatar Nov 25 '25 12:11 bjornharrtell

ah I had just seen that you had approved #8779 and I think merged a different PR into that branch. I'm unsure who (of the active participants :D ) has experience and authority with the CI

jtdavis777 avatar Nov 25 '25 12:11 jtdavis777

Yeah the biggest downside i see is that i creates usually a lot of MR, i am personally not the biggest fan but i agree with @kou we should take a look at the CI and modernize it a bit - i have that on my todo but didn't get to it yet :see_no_evil:

Update i took some time to update it a bit: https://github.com/google/flatbuffers/pull/8812

fliiiix avatar Dec 01 '25 09:12 fliiiix