Update GH actions with Dependabot #19663
Conversation
| version: 2 | ||
| updates: | ||
|
|
||
| # Check for updates to GitHub Actions |
There was a problem hiding this comment.
Would it make sense to group some of these into a single PR? Seems a bit noisy given how many different actions we use: https://github.com/marbre/iree/pulls
There was a problem hiding this comment.
Fair enough. I iterate on it.
There was a problem hiding this comment.
I created a single group and Dependabot PR now looks like marbre#7.
There was a problem hiding this comment.
Thanks, I like that more. If we run into issues we can then either take over ourselves or split into a few finer-grained groups, like
- "core" (actions/checkout, actions/setup-python, etc.)
- "releasing" (eregon/publish-release, ncipollo/release-action, dwenegar/upload-release-assets)
- "utility" (peter-evans/create-pull-request, hendrikmuhs/ccache-action), or just "everything else"
There was a problem hiding this comment.
Splitting into between what lives in actions/* and "rest of the world" could be a good start. WDYT? I can send a follow up if that makes sense to you.
There was a problem hiding this comment.
Let's live with this for a bit and then split as needed.
marbre
force-pushed
the
dependabot-gh-actions
branch
from
fffabcb to
bb69469
Compare
marbre
force-pushed
the
dependabot-gh-actions
branch
from
bb69469 to
dc0bed2
Compare
| version: 2 | ||
| updates: | ||
|
|
||
| # Check for updates to GitHub Actions |
There was a problem hiding this comment.
Thanks, I like that more. If we run into issues we can then either take over ourselves or split into a few finer-grained groups, like
- "core" (actions/checkout, actions/setup-python, etc.)
- "releasing" (eregon/publish-release, ncipollo/release-action, dwenegar/upload-release-assets)
- "utility" (peter-evans/create-pull-request, hendrikmuhs/ccache-action), or just "everything else"
Actions are pinned with hashes as suggested by OpenSSF Scorecard, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies. Those actions get now upgraded by using Depandabot, see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.