per1234
commented
1 year ago However, I'd like to understand why it doesn't work in some cases
I have experienced the same thing. It seems to be significantly delayed in some cases. For example, we enabled the action updates 2022-05-02 in a repository:
https://github.com/arduino/serial-monitor/commit/4f1f74bb4928123fb83b86e86c81c093162eef40
And only finally received the PR for the actions/checkout@v2 -> actions/checkout@v3 update that had been available the whole time 2022-09-07:
https://github.com/arduino/serial-monitor/pull/24
(we did not have any outstanding Dependabot PRs so it was not a matter of hitting the updates[*].open-pull-requests-limit value for that package-ecosystem)
I guess better late than never (which likely would be the case if we managed the versions manually). Even if it is a bit glitched, the pull requests I do receive from Dependabot are valuable so I think it is worth adding regardless.
Yes, we can add a dependabot. However, I'd like to understand why it doesn't work in some cases, see for example https://github.com/bids-standard/bids-specification/pull/1303.