From 1f6ddfc76dfadd0f7e3f0344c6d8899ca7a333a4 Mon Sep 17 00:00:00 2001 From: Leonardo Uieda Date: Fri, 16 Feb 2024 15:39:33 -0300 Subject: [PATCH] Use Dependabot to manage GitHub Actions (#387) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bot will open PRs to update versions of the Actions we use. Use version numbers instead of commits to make this easier. **Relevant issues/PRs:** --- .github/dependabot.yml | 12 ++++++++++++ .github/workflows/docs.yml | 4 ++-- .github/workflows/pypi.yml | 4 ++-- .github/workflows/test.yml | 2 +- 4 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..6cd016a1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 81cef792..a0e1419b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -36,7 +36,7 @@ jobs: # We pin the commit hash corresponding to v0.5.0, and not pinning the tag # because we are giving full access through the github.token. - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163 + uses: styfle/cancel-workflow-action@0.12.1 with: access_token: ${{ github.token }} @@ -137,7 +137,7 @@ jobs: path: doc/_build/html - name: Checkout the gh-pages branch in a separate folder - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f + uses: actions/checkout@v3 with: ref: gh-pages # Checkout to this folder instead of the current one diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 11fb69d9..59ee0d5f 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -110,7 +110,7 @@ jobs: - name: Publish to Test PyPI # Only publish to TestPyPI when a PR is merged (pushed to main) if: success() && github.event_name == 'push' - uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0 + uses: pypa/gh-action-pypi-publish@v1.8.11 with: user: __token__ password: ${{ secrets.TEST_PYPI_TOKEN}} @@ -122,7 +122,7 @@ jobs: - name: Publish to PyPI # Only publish to PyPI when a release triggers the build if: success() && github.event_name == 'release' - uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0 + uses: pypa/gh-action-pypi-publish@v1.8.11 with: user: __token__ password: ${{ secrets.PYPI_TOKEN}} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f3cd287f..956308c1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,7 +62,7 @@ jobs: # We pin the commit hash corresponding to v0.5.0, and not pinning the tag # because we are giving full access through the github.token. - name: Cancel Previous Runs - uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163 + uses: styfle/cancel-workflow-action@0.12.1 with: access_token: ${{ github.token }}