Skip to content

Configure Dependabot to monitor GitHub Actions workflow dependencies #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thomasturrell merged 2 commits into from
Nov 12, 2025
Merged

Configure Dependabot to monitor GitHub Actions workflow dependencies #294

thomasturrell merged 2 commits into from
Nov 12, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 12, 2025
edited
Loading

Description

Enables automated dependency updates for GitHub Actions used in CI/CD workflows. Dependabot will now create PRs when newer versions of actions (e.g., actions/checkout, github/codeql-action) are available.

Resolves #292

Changes

  • Added github-actions package ecosystem to .github/dependabot.yml
  • Configured weekly update schedule (consistent with existing Maven configuration)

Checklist:

  • Public methods are documented
  • Public methods are tested
  • New and existing tests pass when run locally
  • There are no new warnings or errors
Original prompt

This section details on the original issue you should resolve

<issue_title>[Enhancement]: Monitor and update GitHub Actions workflow dependencies with Dependabot</issue_title>
<issue_description>### What

Dependabot should be configured to monitor and automatically update dependencies used in GitHub Actions workflows (files in .github/workflows). This allows action versions to stay up-to-date and secure without manual intervention. The change involves updating .github/dependabot.yml to include the github-actions package-ecosystem, ensuring workflow actions are checked for updates regularly.

Why

Automated updates for workflow actions improve the security, reliability, and maintainability of the CI/CD process. It reduces the risk of using outdated or insecure GitHub Actions, helps catch security vulnerabilities quickly, and keeps our workflows in line with best practices through automatic PRs.

Notes

Example of what to add to .github/dependabot.yml:

- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "weekly"

Further reference: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

Previously discussed as a bug due to the risk to CI/CD from outdated workflows.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@thomasturrell
Configure Dependabot to monitor GitHub Actions dependencies
5b50ffd 
Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Dependabot configuration for GitHub Actions workflows Configure Dependabot to monitor GitHub Actions workflow dependencies Nov 12, 2025
Copilot AI requested a review from thomasturrell November 12, 2025 15:52
@thomasturrell thomasturrell marked this pull request as ready for review November 12, 2025 16:24
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 12, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@thomasturrell thomasturrell merged commit 833f43c into main Nov 12, 2025
7 checks passed
@thomasturrell thomasturrell deleted the copilot/configure-dependabot-for-actions branch November 12, 2025 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@thomasturrell thomasturrell thomasturrell approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@thomasturrell thomasturrell

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Enhancement]: Monitor and update GitHub Actions workflow dependencies with Dependabot

2 participants

@thomasturrell