When a dependabot.yml configures the github-actions ecosystem with directory: "/" (which is what most guides recommend), Dependabot updates action references in .github/workflows/ but silently skips any local composite actions (e.g. .github/actions/my-action/action.yml). Third-party action references inside those composite actions never get version update PRs.

The fix is switching to directories with explicit coverage:

- package-ecosystem: github-actions
  directories:
    - "/"
    - "/.github/actions/*"

This seems like a good fit for a Dependabot audit since the misconfiguration is subtle and has supply chain implications (stale transitive action pins). zizmor already has both pieces of data needed — it discovers local composite actions and parses the directory/directories field in Dependabot configs.

The main consideration is that this audit would only be meaningful when scanning a full repository (both actions and Dependabot config together), not individual files. Severity-wise it's probably informational or low since the impact is missed update PRs rather than a direct vulnerability.

Curious whether this is something that fits zizmor's scope, or if it's too far into "Dependabot linting" territory vs. supply chain security.