Keep GitHub Actions up to date with GitHub's Dependabot#13479
Keep GitHub Actions up to date with GitHub's Dependabot#13479cclauss wants to merge 1 commit intomesonbuild:masterfrom
Conversation
Automates on an ongoing basis the Actions upgrades featured in * mesonbuild#13171 Fixes software supply chain safety warnings like at the bottom right of https://github.com/mesonbuild/meson/actions/runs/10125136437 * [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) * [Configuration options for the dependabot.yml file - package-ecosystem](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)
|
We have previously rejected dependabot. I do not wish to use such hostilely designed software. |
Although I'm unsure what you mean by this, since the warnings in question have zero relationship to "supply chain safety". They have to do with something else entirely... |
|
For a bit of additional context, adding a (badly designed) bot to automatically make PRs would not help us in any way -- we don't really need the reminder to update, per the discussion on the linked ticket I had been working on this exact matter back in March -- the problem is that it does not, in fact, actually work. Updating the actions versions breaks the CI, it's that simple. Even the linked PR doesn't update all of them, and that's a nontrivial part of the discussion in that PR. Dependabot would simply open a useless PR that breaks the CI and would be closed or ignored. |
2 participants
Automates on an ongoing basis the Actions upgrades featured in
Fixes software supply chain safety warnings like at the bottom right of https://github.com/mesonbuild/meson/actions/runs/10125136437