Skip to content

Keep GitHub Actions up to date with GitHub's Dependabot #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

Keep GitHub Actions up to date with GitHub's Dependabot #169

merged 1 commit into from
Nov 3, 2025

Conversation

@cclauss
Copy link
Contributor

@cclauss cclauss commented Nov 3, 2025

@cclauss
Keep GitHub Actions up to date with GitHub's Dependabot
770ec46 
* [Keeping your software supply chain secure with Dependabot](https://docs.github.com/en/code-security/dependabot)
* [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)
* [Configuration options for the `dependabot.yml` file - package-ecosystem](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)

To see all GitHub Actions dependencies, type:
% `git grep 'uses: ' .github/workflows/`
@HexDecimal
Copy link
Collaborator

HexDecimal commented Nov 3, 2025

Thanks for this, though I worry about Dependabot adding too much noise, I'll change the interval if that becomes a problem.

@codecov
Copy link

codecov bot commented Nov 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.45%. Comparing base (37e1b34) to head (770ec46).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #169   +/-   ##
=======================================
  Coverage   83.45%   83.45%           
=======================================
  Files          31       31           
  Lines        7423     7423           
=======================================
  Hits         6195     6195           
  Misses       1228     1228

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cclauss
Copy link
Contributor Author

cclauss commented Nov 3, 2025
edited
Loading

A few saved replies that I sometimes use...

GitHub Actions are only used at CI test-time, while most other dependencies are also used at runtime. This means that if the CI tests pass, maintainers have more confidence that the proposed changes will not break runtime.

GitHub Actions have very infrequent major version changes . setup-python, the most frequent, has only had five major upgrades in its lifetime.

When GitHub Actions are upgraded, it often happens in batches. The pattern: * proposed in this PR will consolidate all GHA updates into a single pull request, further reducing chattiness.

There is a tradeoff between supply chain security and chattiness. Given that we have a few GHAs that are updated rarely and usually in batches, and we are using pattern: * to ensure that there will only ever be a single GHA upgrade PR at a time.

Thanks for the review. The interval options are daily, weekly, or monthly (not quarterly).

GitHub Actions have very infrequent major version changes. setup-python, the most frequent, has only had five major upgrades in its lifetime. Also, when they are upgraded, it often happens in batches. The pattern: * will consolidate all GHA updates into a single pull request, further reducing chattiness. See: rapidfuzz/RapidFuzz#362

There is a tradeoff between supply chain security and chattiness. Given that we have a few GHAs that are updated rarely and usually in batches and we are using pattern: * to ensure that there will only ever be a single GHA upgrade PR at a time, my recommendation would be to kick off this process in weekly mode. It is trivial it switch to monthly mode if we sense it becomes chatty. I doubt that it will.

@HexDecimal
Copy link
Collaborator

HexDecimal commented Nov 3, 2025

A few saved replies that I sometimes use...

* https://github.com/settings/replies

Good pointing that out, the quick verbose reply was very conspicuous. That URL is for the local account, it doesn't show your own replies to others. Might be a good idea to disclaim quick replies so that they're not mistaken for an LLM or something.

The interval options are daily, weekly, or monthly (not quarterly).

This is inaccurate compared to the documentation you've provided. There are several more options including quarterly.
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#interval

@HexDecimal HexDecimal merged commit d7d9a7e into libtcod:main Nov 3, 2025
23 checks passed
@cclauss cclauss deleted the patch-1 branch November 3, 2025 12:11
@cclauss
Copy link
Contributor Author

cclauss commented Nov 3, 2025

Generated:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cclauss @HexDecimal