Open hoffie opened 2 years ago
Dependabot?
Dependabot?
Yeah, might be worth a look wrt Github Actions usage. I would not expect it to catch the depds from our build scripts though, unless I'm missing something?
Maybe we can set it up to do that
Supported repositories Repository contains dependency manifest file from a package ecosystem that GitHub supports: "Supported package ecosystems"
So it looks like:
pipfile.lock
That'd mean that the following would require manual work (at least):
The workflow does not handle most of the Android pinnings (haven't looked into it so far).
I think we should list them in this issue.
I just found out that create-dmg is also missing. So macOS and Android probably need some further investigation.
Not sure what is still outstanding here. Tagging for looking at it in the next release.
Describe the task
We have several external dependencies which are version-locked for reproducibility and security. We should regularly check those for updates. A Github Action scheduled job (cron-style) could do that. It could automatically submit a PR with the suggested update.
uses:
) #2778Solutions to look into: