Skip to content

Add a Dependabot config to maintain GitHub action versions#376

Merged
anishathalye merged 1 commit intoanishathalye:masterfrom
kurtmckee:add-dependabot
Feb 22, 2025
Merged

Add a Dependabot config to maintain GitHub action versions#376
anishathalye merged 1 commit intoanishathalye:masterfrom
kurtmckee:add-dependabot

Conversation

@kurtmckee
Copy link
Copy Markdown
Contributor

@kurtmckee kurtmckee commented Feb 20, 2025

If accepted, Dependabot will scan the repo for GitHub action version updates once per month and submit a single PR for any actions that have received updates.

Since the repo only pins to major versions (like actions/checkout@v4), this will probably be a small number of PRs per year. Nevertheless, it will help reduce maintenance burden as actions are updated and old versions are deprecated.

@codecov
Copy link
Copy Markdown

codecov bot commented Feb 20, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.63%. Comparing base (686db86) to head (2a02700).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #376   +/-   ##
=======================================
  Coverage   85.63%   85.63%           
=======================================
  Files          20       20           
  Lines         696      696           
=======================================
  Hits          596      596           
  Misses        100      100

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@anishathalye
Copy link
Copy Markdown
Owner

anishathalye commented Feb 22, 2025

We pin major versions; would Dependabot submit a PR to bump a major version? How exactly does that work, since actions' APIs can change with major version upgrades? I couldn't answer this question based on the docs I could find [1, 2].

@kurtmckee
Copy link
Copy Markdown
Contributor Author

kurtmckee commented Feb 22, 2025

Dependabot simply updates the version. In some cases (actions/checkout, actions/setup-python) there haven't been any breaking changes when they upgraded across major versions.

The only time I've seen breakage in the last several years (for the actions I've used) was for caching and artifact actions changes. Importantly, the old versions were being shut down completely and would stop working. Therefore, having Dependabot submit a PR flagging that a new version was available, and seeing the CI job fail in the PR, indicated not only that there was a new version, but triggered investigation to see what was happening.

In effect, the PRs for actions/cache and actions/{upload|download}-artifact served as notifications that the versions I was using were going to be shutdown if I did nothing.

@anishathalye anishathalye merged commit 1ee9741 into anishathalye:master Feb 22, 2025
@anishathalye
Copy link
Copy Markdown
Owner

anishathalye commented Feb 22, 2025

Sounds good!

@kurtmckee kurtmckee deleted the add-dependabot branch February 22, 2025 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kurtmckee @anishathalye