Enable dependabot to update actions

[joycebrum]

Issue #418

Changes

Enable dependabot to update github workflow actions once a week

[josephlr]

I think this is a reasonable change even if we don't end up pinning exact versions for actions. It would still be nice to be running on the latest versions of our actions. We currently don't use dependabot, is there anything we need to do to enable it?

[joycebrum]

I believe this configuration file already enables it since dependabot is official from GitHub. Anyway there is this configuration in the settings

You can even configure if you rather just being notified or that the dependabot creates the PR. This "security updates" is another interesting option which, if you rather, you can enable only the first two of them and just letting dependabot to update dependencies in order to fix known vulnerabilities. It can be an option to reduce noise.

Another interesting fact I've found out looking for dependabot features is that it won't update your Actions immediately. They have some precautions to make sure a release is reasonable / won't break your build.

[diogoteles08]

Hi @josephlr! I'm Diogo and I work along with Joyce in Google’s Open Source Security Team.

This PR has been idle for a while, so I'm coming by to ask you if you are still interested on the change and if we can help you with anything else =)

Cheers,

[josephlr]

Looking at this again, is there a way to test this to see what sort of CL dependabot would open against this repo if we enabled the change? For example, will it do:

• major version
• major+minor version
• hash

I couldn't find a good way to test this.

[josephlr]

I tested this on one of my personal repos, looks like there's a way to only update the actions when there's a new major version (which is what we want).

I changed the config, lets see if it works.