bits-and-blooms/bitset

Use dependabot to keep GitHub Actions updated

pnacht opened this issue · 0 comments

pnacht commented

bitset already hash-pins its GitHub Actions (done in #136), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.

We can set up dependabot to send a single periodic PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.

In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, bitset will immediately receive a PR to migrate to a patched version. To enable security updates:

  1. Settings > Code security & analysis
  2. Enable "Dependabot security updates"

In the meantime, I'll send a PR adding dependabot so you can take a look.