-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot configuration to update actions in workflows #6872
Conversation
I tried this in the past and it broke things and I didn't have time to investigate further (revert PR). It was over two years ago so maybe things are better now. I won't be merging this until I have the time to deal with the fallout if this breaks things as in the past. How confident are you that the latest actions versions won't break anything? Have you tested it? |
Thanks for the context - do you recall what broke? Seems checks did not run on the actions/checkout bump in https://github.com/github-linguist/linguist/pull/5911/checks, although the Actions history begins about a year after that https://github.com/github-linguist/linguist/actions?page=32 so it may be lost to time In any case, I did bump actions/checkout v4 on my fork here and all checks passed without issue https://github.com/ScottBrenner/linguist/pull/1/checks The other action, ruby/setup-ruby, appears to keep their "v1" tag updated https://github.com/ruby/setup-ruby/tree/v1 and would not (yet) be updated by the proposed changes here |
I don't specifically, but from my comment in #5912 checkout depth was at least one problem. We need more than This problem wasn't caught by the tests in the PR itself for some reason I can't recall 👴 |
The commits in |
That looks to be left over from when I was tatting with this last time, so maybe I've already fixed that issue 😁 I note your test PR only updates the checkout action. Do things still pass if you update all actions to their latest versions? (I've not looked closely at what else is used and could be updated). |
Believe actions/checkout is the only action that would be updated by this - the only other action ruby/setup-ruby uses v1 which they seem to keep updated under https://github.com/ruby/setup-ruby/tree/v1 |
There's no need to close this. |
Description
Noticed a few actions used in the workflows here are outdated, proposing a Dependabot configuration to update - reference https://docs.github.com/en/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions#keeping-the-actions-in-your-workflows-secure-and-up-to-date
Suggest enabling https://docs.github.com/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-for-your-repository as well.