Enable dependabot for github-actions #1467
Conversation
| @@ -0,0 +1,6 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: "github-actions" | |||
There was a problem hiding this comment.
What does this accomplish for PHPC? Our only direct dependencies are the libmongoc and libmongocrypt submodules, and I doubt it's going to help us write Autoconf files :)
Would this be better suited to PHPLIB? I see that Composer is handled within dependabot/dependabot-core.
There was a problem hiding this comment.
It's only about github-actions dependencies. It opens PRs like this: mongodb/mongo-php-library#1159
There was a problem hiding this comment.
@jmikola FWIW, Dependabot could open pull requests for updates to submodules, but it currently can't handle tags and can only update to the latest commit.
I'm fine with having automatic updates to GitHub Actions dependencies so we don't have to manually keep track of them.
There was a problem hiding this comment.
Oh, my mistake for not realizing what package-ecosystem: "github-actions" did. SGTM.
Following @alcaeus demand: mongodb/laravel-mongodb#2612 (review). This will open PR when new versions of GitHub actions are available.
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates