-
-
Notifications
You must be signed in to change notification settings - Fork 60.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(deps): configure dependabot for github-actions #5521
ci(deps): configure dependabot for github-actions #5521
Conversation
Needs add this labels to github repo/org: - dependencies - github-actions
Would appreciate review from someone familiar with this. |
I'll know is a critical file of repo configuration, so I'll provide more info... Dependabot aims to solve/fix security issues (something as is kwown as CVE - Common Vulnerabilities and Exposures) making automatic pull request as way of recomendations. At those PR, an entire context with breaking changes, release/changelog history compatibility and so on will be provided as description. In neither moment it commits nothing without supervision. Let me know what is expected, and I'll change it. 😉
I hope this helps to get in context 🤗 |
Today dependabot advice me about an action update Here the example: davorpa/testing-github-actions#1 |
Also labels are now more adecuated, based on I can se in other repos
Today again another notification about github-actions comes into my inbox. It cheat me that |
Question: on other repos I have, there's a bot that warns about security issues, but the alert and PRs are only visible to repo owner. Is that true for dependabot? |
PRs are always public. Security alerts don't. Moreover, I don't know if bot only response to reply commands (e.g. @EbookFoundation/reviewers Could someone try with davorpa/testing-github-actions#2 that is still open? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a small nitpick
Co-authored-by: CleanMachine1 <78213164+CleanMachine1@users.noreply.github.com>
Only who have the permissions can: davorpa/testing-github-actions#2 (comment) |
Yep, I'll see it. thanks, Luigi. Then I think it's safe enable this feature since is like a normal PR but with a bot commands and compatibility info as extra. |
What does this PR do?
So, this PR configures Dependabot to automatize this process for github-actions artifacts used in repository workflows.
As is config provided needes add this labels to github repo/org:
free-programming-books/.github/dependabot.yml
Lines 17 to 22 in 786ae8b
Checklist:
dependabot.yml
config file.Followup