Skip to content

ci: Add Dependabot configuration for GitHub Actions updates#1755

Open
turbobobbytraykov wants to merge 1 commit into
masterfrom
btraykov/gh-actions-updates-dependabot
Open

ci: Add Dependabot configuration for GitHub Actions updates#1755
turbobobbytraykov wants to merge 1 commit into
masterfrom
btraykov/gh-actions-updates-dependabot

Conversation

@turbobobbytraykov

Copy link
Copy Markdown
Contributor

Configure Dependabot for GitHub Actions updates.

Description

Follow the best security practices in setting up 1st party GitHub actions updates via dependabot.

Reference: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/auto-update-actions

Related Issue

N/A

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring / code cleanup
  • Build / CI configuration change

Affected Packages

  • igniteui-cli (packages/cli)
  • @igniteui/cli-core (packages/core)
  • @igniteui/angular-templates (packages/igx-templates)
  • @igniteui/angular-schematics (packages/ng-schematics)
  • @igniteui/mcp-server (packages/igniteui-mcp)

Checklist

  • I have tested my changes locally (npm run test)
  • I have built the project successfully (npm run build)
  • I have run the linter (npm run lint)
  • I have added/updated tests as needed
  • My changes do not introduce new warnings or errors

Additional Context

Configure Dependabot for GitHub Actions updates.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot configuration to automatically keep pinned GitHub Actions versions up to date, aligning CI maintenance with GitHub’s recommended supply-chain practices.

Changes:

  • Introduces .github/dependabot.yml to enable Dependabot updates for the github-actions ecosystem.
  • Schedules weekly update checks (Mondays).
  • Groups non-security GitHub Actions version updates into a single PR (with a 14-day “cooldown” window before proposing updates).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 87.816%. remained the same — btraykov/gh-actions-updates-dependabot into master

Comment thread .github/dependabot.yml
version: 2

updates:
- package-ecosystem: "github-actions"

@damyanpetev damyanpetev Jul 15, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: does this 'disable' the npm/node ecosystem updates if not configured?
Hopefully not, but the topic doesn't really explain that, which I find kinda important

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants