This will cause dependabot to open PRs to bump any actions, such as "checkout" when never major versions are released.
https://docs.github.com/en/code-security/dependabot/dependabot-version-updat... You can view, comment on, or merge this pull request online at:
https://github.com/geany/geany/pull/3758
-- Commit Summary --
* Add dependabot.yml
-- File Changes --
A .github/dependabot.yml (6)
-- Patch Links --
https://github.com/geany/geany/pull/3758.patch https://github.com/geany/geany/pull/3758.diff
@andy5995 pushed 1 commit.
fe457f3b2f72556b01a15e2b5006d8dbd4d79001 Add dependabot.yml
when never major versions are released
Are you saying Geany will never get another major version :wink:
@b4n @eht16 release specialists, any comment?
when never major versions are released
Are you saying Geany will never get another major version 😉
Hehe, looks like I did bad typing again. ;)
An example is [here where it was merged into the curl project](https://github.com/curl/curl/commit/bf7cd837a68452bef11d9b1a783f43d4128c4ad4) on Jan 2.
And then [dependabot opened a PR](https://github.com/curl/curl/pull/12756) to bump the version of various actions (The PR shows "closed" but that's because the curl project has a different way of merging things; you can see here that it was merged https://github.com/curl/curl/commit/dfe34d255926088e596f34ada4b301c4481d0153 )
Yeah, why not.
Two remarks: - why Docker? - Automatic updating of the action versions won't work directly as we pinned the actions and their versions in the organization settings. I think this is useful to reduce the risk of getting unwanted actions or code executed in CI. So even after merging Dependabot's PRs, a Geany admin still has to do allow that action/version in the settings for security reasons.
K, I removed the docker section.
@andy5995 pushed 1 commit.
588f70da75d7457c77bcc8b3e625220b79a06873 Add dependabot.yml
@eht16 commented on this pull request.
@@ -0,0 +1,6 @@
+version: 2 +updates:
```suggestion updates: # Before applying suggested PRs, make sure that the new versions of any updated actions are allowed in https://github.com/organizations/geany/settings/actions. Versions are pinned and restricted for security reasons. ```
Can we maybe add the above comment, so that at least in the Dependabot job description we have a hint that versions of the allowed Actions are pinned in the organization settings.
@andy5995 pushed 1 commit.
65d60cf5dc62a0148b35e8afe01c71fd411c2815 Add dependabot.yml
@andy5995 commented on this pull request.
@@ -0,0 +1,6 @@
+version: 2 +updates:
Certainly! Done.
@andy5995 pushed 1 commit.
a5d9d5c351faf7350807094377f3d20e3014a7cd Add dependabot.yml
Merged #3758 into master.
Thanks!
github-comments@lists.geany.org