From cfd2a94c1fe77626a6102a16f62c81de750b1af7 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Wed, 23 Mar 2022 11:31:26 -0400 Subject: [PATCH] Use Dependabot to update GHAs, now supports SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a bit of a test of Dependabot's support for managing SHA-based versions of GitHub Actions. In the original press release about Dependabot's support for GHAs, they say: > Dependabot creates pull requests that update the action to the latest released tag (e.g., v2), regardless of if you’re currently on a release tag, a pre-release tag, or a specific hash. github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/ But I think SHA-based updates were added as a part of: https://github.com/dependabot/dependabot-core/issues/2835 I see examples where Dependabot apparently works with SHAs: https://github.com/systemd/systemd/pull/22638/files https://github.com/google/go-github/pull/2049/files And those projects are using config like is proposed here: https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5 https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15 As always, we should be careful about taking updates from third parties and review theses PRs to update GHAs carefully. Especially until #1740 reduces the permissions of each job to the minimum required. Signed-off-by: Daniel Farrell --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 00b474a3a8..819eb6531a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ --- version: 2 updates: + - package-ecosystem: github-actions + directory: '/' + schedule: + interval: daily - package-ecosystem: gomod directory: "/" schedule: