#54503 closed feature request (fixed)
Configure Dependabot alerts for when GitHub Actions updates are available
Reported by: | desrosj | Owned by: | desrosj |
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Build/Test Tools | Keywords: | has-patch |
Focuses: | Cc: |
Description
The GitHub Dependabot can be configured to monitor GitHub Actions for updates. This is useful because it avoids having to manually check every action in use within workflow files.
This should be configured so that maintenance of these workflow files is easier.
Attachments (1)
Change History (9)
This ticket was mentioned in Slack in #core by sergey. View the logs.
3 years ago
#3
follow-up:
↓ 7
@
2 years ago
FYI: for anyone who had "old" forks of this repo and have in the mean time updated the default branch in their fork from master
to trunk
, this config means that PRs will be opened to those forks as well.
As far I can see, there is currently no way to disable this for a fork, other than possibly switching to renovate-bot instead.
#4
follow-up:
↓ 6
@
2 years ago
Thanks for pointing this out!
I was also surprised to see this happening on my fork. One of the reasons I made this change was that the documentation states that "if you want to enable version updates on forks, there's an extra step" (source).
It's definitely annoying, but I wonder how many forks of wordpress-develop
out of the 1,400 currently are "old" and subject to this. Personally, I would prefer to stick with the native GH Dependabot if possible. If more people start raising this concern, we can open a new ticket to discuss switching. For now, I'll see about reaching out to GitHub DevRel folks and starting a discussion around this one.
#5
@
2 years ago
Just wanted to confirm that new forks will have the correct behavior and require them to be manually activated.
#6
in reply to:
↑ 4
@
2 years ago
Replying to desrosj:
It's definitely annoying, but I wonder how many forks of
wordpress-develop
out of the 1,400 currently are "old" and subject to this.
Honestly not sure, but AFAICS it only starts happening if they renamed the main branch of their fork to trunk
and keep that branch up to date (or at least updated it to beyond the commit which included the Dependabot config).
Personally, I would prefer to stick with the native GH Dependabot if possible.
Understood. Salient detail: Microsoft repos on GH all use Renovate ;-)
If more people start raising this concern, we can open a new ticket to discuss switching. For now, I'll see about reaching out to GitHub DevRel folks and starting a discussion around this one.
👍🏻
Just wanted to confirm that new forks will have the correct behavior and require them to be manually activated.
Yes, IIRC the default behaviour for forks changed about a year ago, but old forks still can't turn it off.
#7
in reply to:
↑ 3
@
2 years ago
Replying to jrf:
FYI: for anyone who had "old" forks of this repo and have in the mean time updated the default branch in their fork from
master
totrunk
, this config means that PRs will be opened to those forks as well.
As far I can see, there is currently no way to disable this for a fork, other than possibly switching to renovate-bot instead.
To follow up on this, GitHub pushed a feature today that allows more granular control of Dependabot behavior on forks: https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/. I was able to disable Dependabot version updates manually on my fork using this.
In 52241: