Skip to content

chore: enable Dependabot weekly GitHub Actions bumps#46157

Merged
paulinebm merged 1 commit into
mainfrom
chore/add-dependabot-github-actions
May 26, 2026
Merged

chore: enable Dependabot weekly GitHub Actions bumps#46157
paulinebm merged 1 commit into
mainfrom
chore/add-dependabot-github-actions

Conversation

@hf-dependantbot-rollout
Copy link
Copy Markdown
Contributor

@hf-dependantbot-rollout hf-dependantbot-rollout Bot commented May 22, 2026

Summary

Adds .github/dependabot.yml so this repo's pinned GitHub Action SHAs
get bumped automatically once a week.

All action updates are grouped into one weekly PR (not one PR per
action) to keep the noise down, and Dependabot waits 7 days after a
release before opening the bump (cooldown). The 7-day cooldown is
aligned with the org's pinact min_age: 7 policy — so by the time
the Dependabot PR lands, the SHA is already old enough for the security
gate to accept it. The bot opens the PR; the org-wide security gate
(pinact + denylist + deny-packages + osv-scan) runs on it; a human
merges.

Why

GitHub Action SHAs that were safe when pinned can drift out of date —
missing security patches, bug fixes, or new features. Dependabot keeps
them current. Combined with the org-wide validation workflow (which
blocks compromised SHAs from landing), the bumps are safe by
construction.

Closes huggingface/tracking-issues#508

@HuggingFaceDocBuilderDev
Copy link
Copy Markdown

HuggingFaceDocBuilderDev commented May 22, 2026

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@paulinebm paulinebm requested review from tarekziade and ydshieh May 22, 2026 11:38
ydshieh
ydshieh approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ydshieh ydshieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course

@paulinebm paulinebm added this pull request to the merge queue May 26, 2026
Merged via the queue into main with commit 9b1bf03 May 26, 2026
21 checks passed
@paulinebm paulinebm deleted the chore/add-dependabot-github-actions branch May 26, 2026 08:19
yuchenxie4645 pushed a commit to yuchenxie4645/transformers that referenced this pull request May 28, 2026
@hf-dependantbot-rollout @yuchenxie4645
chore: enable Dependabot weekly GitHub Actions bumps (huggingface#46157)
c26e3bf 
Co-authored-by: hf-dependantbot-rollout[bot] <285970069+hf-dependantbot-rollout[bot]@users.noreply.github.com>
kashif pushed a commit to kashif/transformers that referenced this pull request Jun 1, 2026
@hf-dependantbot-rollout @kashif
chore: enable Dependabot weekly GitHub Actions bumps (huggingface#46157)
857aa59 
Co-authored-by: hf-dependantbot-rollout[bot] <285970069+hf-dependantbot-rollout[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarekziade tarekziade tarekziade approved these changes

@ydshieh ydshieh ydshieh approved these changes

Assignees

No one assigned

Labels

dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HuggingFaceDocBuilderDev @tarekziade @ydshieh @paulinebm