Skip to content

Commit

Permalink
Use Dependabot to update GHAs, now supports SHAs
Browse files Browse the repository at this point in the history
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until submariner-io#1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <[email protected]>
  • Loading branch information
dfarrell07 authored and astoycos committed Apr 14, 2022
1 parent af32e13 commit 74f1603
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
---
version: 2
updates:
- package-ecosystem: github-actions
directory: '/'
schedule:
interval: daily
- package-ecosystem: gomod
directory: "/"
schedule:
Expand Down

0 comments on commit 74f1603

Please sign in to comment.