Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: enable Dependabot weekly GitHub Actions bumps#13812

Merged
DN6 merged 1 commit into
mainfrom
chore/add-dependabot-github-actions
May 26, 2026
Merged

chore: enable Dependabot weekly GitHub Actions bumps#13812
DN6 merged 1 commit into
mainfrom
chore/add-dependabot-github-actions

Conversation

@hf-dependantbot-rollout

Copy link
Copy Markdown
Contributor

Summary

Adds .github/dependabot.yml so this repo's pinned GitHub Action SHAs
get bumped automatically once a week.

All action updates are grouped into one weekly PR (not one PR per
action) to keep the noise down, and Dependabot waits 7 days after a
release before opening the bump
(cooldown). The 7-day cooldown is
aligned with the org's pinact min_age: 7 policy — so by the time
the Dependabot PR lands, the SHA is already old enough for the security
gate to accept it. The bot opens the PR; the org-wide security gate
(pinact + denylist + deny-packages + osv-scan) runs on it; a human
merges.

Why

GitHub Action SHAs that were safe when pinned can drift out of date —
missing security patches, bug fixes, or new features. Dependabot keeps
them current. Combined with the org-wide validation workflow (which
blocks compromised SHAs from landing), the bumps are safe by
construction.

Closes huggingface/tracking-issues#555

@github-actions github-actions Bot added CI size/S PR with diff < 50 LOC labels May 26, 2026
@DN6 DN6 merged commit 4b3dd38 into main May 26, 2026
15 of 17 checks passed
DN6 pushed a commit that referenced this pull request Jul 1, 2026
Co-authored-by: hf-dependantbot-rollout[bot] <285970069+hf-dependantbot-rollout[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI dependabot size/S PR with diff < 50 LOC

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant