Add Dependabot configuration for GitHub Actions updates #22514
Conversation
Add a Dependabot configuration that checks once a week if the GitHub Actions are still using the latest version. If not, it opens a PR to update them. It will actually open very few PRs, since we only have major versions specified (like v3), so only on a major v4 release it will update and open a PR. See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
By removing the exact minor and patch version of the cibuildwheel action, it will always use the latest minor/patch version. For cirrus, it will use the latest version even for new major versions. This ensures the latest Python versions are always used to build wheels. Major version updates will be handled by numpy#22514 for GitHub Actions.
|
This looks fine. What are the advantages/disadvantages of keeping GitHub Actions up to date? Can an update break things? |
|
Updates can certainly break things, but not updating will almost always also break things at some point. This way for each action that can be updated, a PR will be openend. So it will update in a controlled manner, and when the PR is openend the workflows will run so you can see if things break or not. |
|
That's a valid concern, especially for such a large project like NumPy. They're working on disabling it on forks, so we can also wait a bit to see where that leads to.
Another option would be using a GitHub Actions workflows with an conditional statement that it only runs on this repository ( |
|
I am a hard -1 on adding back Dependabot, their behavior has been terrible. Sorry @EwoutH. There's also no real need for auto-updating here as far as I can tell. I cannot remember a case where we actually needed this. Maybe there have been one or two, not quite sure, but it doesn't seem like an actual problem that we're having that needs solving. |
|
No worries, I heard the stories by now. |
Add a Dependabot configuration that checks once a week if the GitHub Actions are still using the latest version. If not, it opens a PR to update them.
It will actually open very few PRs, since we only have major versions specified (like v3), so only on a major v4 release it will update and open a PR.
See Keeping your actions up to date with Dependabot.