Dependabot: ability to bump git tags (for reusable workflows)

[ringods]

A best practice is to lock dependencies. When working with reusable Github Actions workflows in another repository, the docs state that the most secure way is to lock on the git commit hash, which I agree with:

https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow

However, for readability, I would like to tag the repo containing the reusable workflows when new versions are verified to be working.

Would it be possible for Dependabot to support tracking new tags and creating PRs to bump the tag in the repositories where these workflows are reused?

I would use it for upgrading to the newer version of reusable Github Actions workflows:

  - package-ecosystem: "git" # or "git-tag"
    directory: "/.github/workflows"
    schedule:
      interval: "daily"

The general case is just bumping Git tag versions in random files:

  - package-ecosystem: "git" # or "git-tag"
    # Specify a repo if the files to update only contain the tag. The repository should be part of the file content when not specified here
    upstream-repo: "<organization>/<repo>"
    directory: "/"
    # a set of files where the tag to update has to be kept in sync using a single PR
    files:
      - file1.txt
      - otherpath/file2.txt
    schedule:
      interval: "daily"