Update Github actions and add automatic updates #154
Conversation
halamix2
commented
Sep 15, 2023
halamix2
commented
- Update Github actions to their latest versions
- setup Dependabot to automatically create PRs with GH actions version bumps
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
* Bumped dependecies that were marked insecure by Scorecard (https://github.com/ossf/scorecard) and Trivy (https://github.com/aquasecurity/trivy) The vulnerable dependencies can also be automatically bumped with dependabot, similar to #154: ```yaml updates: - package-ecosystem: "gomod" # See documentation for possible values directory: "/" schedule: interval: "daily" commit-message: prefix: "gomod" ```
Are there features or bugfixes that we need in these new versions? It just seems like we're pulling in the latest version for no reason. There are API changes for some of these (like setup-go does caching by default) that I think require more analysis.
I'm not in favor of pulling in new deps just because they exist. I could be convinced to adopt a configuration that suggests updates for dependencies that have security fixes, but randomly pulling in the latest dependencies from the Internet is bad. |
