search

expressjs / express

Fast, unopinionated, minimalist web framework for node.
https://expressjs.com
MIT License
65.73k stars 16.35k forks source link

ci: add dependabot for gh-actions #6159

Closed tchapacan closed 1 week ago

tchapacan commented 1 week ago

Helo,

Purpose of this PR is to add the dependabot.yml in update mode, and configure it to target github-actions.

According to this PR #6141 it seems you are going in the direction of pinning gh-actions dependencies in the workflows, which is great, and will improve the ossf scorecard. To avoid adding too much burden on the maintenance side (tracking each gh-action to update them one by one), dependabot can do it for you according to this docs => https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#github-actions

You can even add some defaults reviewers and labels to the PR that will be automatically open, but I prefer let you review the minimal default configuration first and LMK if you want to modify the config according to your needs.

Hope it could help you, cheers!

bjohansebas commented 1 week ago

Hi @tchapacan, thanks for the initiative, I’m going to close this as it’s a duplicate of #5435.