Skip to content

chore: enable Dependabot weekly GitHub Actions bumps#40

Merged
Wauplin merged 1 commit into
mainfrom
chore/add-dependabot-github-actions
May 26, 2026
Merged

chore: enable Dependabot weekly GitHub Actions bumps#40
Wauplin merged 1 commit into
mainfrom
chore/add-dependabot-github-actions

Conversation

@hf-dependantbot-rollout

@hf-dependantbot-rollout hf-dependantbot-rollout Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds .github/dependabot.yml so this repo's pinned GitHub Action SHAs
get bumped automatically once a week.

All action updates are grouped into one weekly PR (not one PR per
action) to keep the noise down, and Dependabot waits 7 days after a
release before opening the bump (cooldown). The 7-day cooldown is
aligned with the org's pinact min_age: 7 policy — so by the time
the Dependabot PR lands, the SHA is already old enough for the security
gate to accept it. The bot opens the PR; the org-wide security gate
(pinact + denylist + deny-packages + osv-scan) runs on it; a human
merges.

Why

GitHub Action SHAs that were safe when pinned can drift out of date —
missing security patches, bug fixes, or new features. Dependabot keeps
them current. Combined with the org-wide validation workflow (which
blocks compromised SHAs from landing), the bumps are safe by
construction.

Closes huggingface/tracking-issues#697

@Wauplin Wauplin merged commit 00cd481 into main May 26, 2026
1 of 2 checks passed
@Wauplin Wauplin deleted the chore/add-dependabot-github-actions branch May 26, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wauplin