AlexWaygood
commented
3 weeks ago Hi, thanks for the PR. However, I'm not sure this is really necessary. We have dependabot setup for this repository to make sure that our dependencies are bumped on a regular basis: https://github.com/python/cpython/blob/main/.github/dependabot.yml. We generally prefer not to bump our dependencies any more regularly, as doing so leads to unnecessary churn and notifications for people watching the repository.
Moreover, most of these changes are not actually bumping any dependencies. Changing the actions/checkout@v4 pin to actions/checkout@v4.1.4 doesn't actually mean that we'll start using a newer version of actions/checkout. actions/checkout@v4 means "please use the latest version of actions/checkout where the version is >=4 and <5". As such, we're already using actions/checkout@v4.1.4 in CI, but pinning the version more tightly means we'll get dependabot PRs on a much more regular basis, which will lead to unnecessary noise and notifications for us.
Thanks again for the PR, but I think we'll decline this one :-)
Bump github actions: setup-python cache and checkout and requirements.txt