cornelius
commented
1 week ago I think it's a good idea to use a tool like renovatebot to automate updating dependencies. But I'll leave it to @mxmehl to discuss this further. He's away right now, we can continue once he is back.
I noticed some of the workflows in this repository aren't pinned. Adding a tool like renovatebot can make life a lot easier and help manage your dependency updates.
For example in one of your github actions you have: https://github.com/OpenRailAssociation/github-org-manager/blob/main/.github/workflows/test.yaml#L31
With renovate bot it'll pin it to a precise sha and create another PR for you so that you can accept updates/changes.
We use it at my organization and it saves a ton of time and also helps ensure we don't hit unexpected updates/changes or fall behind on security updates. Also, renovatebot supports a number of different languages and tools. It'll auto-detect what's in your repository and then create PR's where it finds updates. In your case it should update your python dependencies automatically with no configuration beyond installing this github app:
https://github.com/apps/renovate
I have a public config I am happy to share if you folks end up using renovatebot.