Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dependabot config for GitHub Actions #31119

Merged
merged 1 commit into from
Aug 30, 2023
Merged

Add Dependabot config for GitHub Actions #31119

merged 1 commit into from
Aug 30, 2023

Conversation

wadells
Copy link
Contributor

@wadells wadells commented Aug 28, 2023
edited
Loading

We have some 3rd party GitHub Actions we're pinning for determinism and security, however we'd also like these pinned actions to stay up to date in a controlled fashion. This PR adds Dependabot for Github actions.

For example of recent pinnings, see:

Initial reviewers are a mix of security and internal tools folks, chosen to triage the first couple rounds of updates. I plan on handling these mostly myself, but I'd like to keep the other folks aware.

I chose not to add a language group for these yet, as I'd rather deal with each update individually while we get GHA dependency management ship-shape.

Contributes to https://github.com/gravitational/SecOps/issues/403

Testing Done

I added a version of this in https://github.com/wadells/teleport. You can see an example PR it opened here:

wadells#15

@github-actions github-actions bot requested review from klizhentas and r0mant August 28, 2023 22:19
@wadells wadells changed the title Add dependabot config for GitHub Actions Add Dependabot config for GitHub Actions Aug 28, 2023
@wadells
Add Dependabot config for GitHub Actions
5d04b6d 
We have some 3rd party GitHub Action's we're pinning for determinism
and security, however we'd like these to stay up to date.

Initial reviewers are a mix of security and internal tools folks, chosen
to be able to perform initial triage.
@wadells wadells force-pushed the walt/gha-dependabot branch from 113fa74 to 5d04b6d Compare August 28, 2023 22:32
@wadells wadells mentioned this pull request Aug 28, 2023
Merged
rosstimothy
rosstimothy approved these changes Aug 28, 2023
View reviewed changes
Copy link
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Though I would make sure you have a group 1 and 2 reviewer in your reviewers list otherwise you'll have to ping additional people every week

@wadells
Copy link
Contributor Author

wadells commented Aug 28, 2023

LGTM. Though I would make sure you have a group 1 and 2 reviewer in your reviewers list otherwise you'll have to ping additional people every week

Good point. At least initially, I'd like to do a first pass on these to make sure they're sane and useful before escalating.

Once things have smoothed out in a couple weeks, I'll chat with @r0mant about getting the appropriate group 1 reviewers on here. @fheinecke and @camscale can cover group 2.

@wadells wadells added this pull request to the merge queue Aug 30, 2023
Merged via the queue into master with commit d4efd17 Aug 30, 2023
@wadells wadells deleted the walt/gha-dependabot branch August 30, 2023 05:25
@wadells wadells mentioned this pull request Dec 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adaadb6 adaadb6 adaadb6 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

@codingllama codingllama codingllama approved these changes

Assignees
No one assigned
Labels
size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wadells @codingllama @rosstimothy @adaadb6