From d32db2d210964864b1506e362f7bcff240349d4e Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 19 Sep 2025 17:50:09 +0200 Subject: [PATCH 1/2] GH Actions: "pin" all action runners Recently there has been more and more focus on securing GH Actions workflows - in part due to some incidents. The problem with "unpinned" action runners is as follows: * Tags are mutable, which means that a tag could point to a safe commit today, but to a malicious commit tomorrow. Note that GitHub is currently beta-testing a new "immutable releases" feature (= tags and release artifacts can not be changed anymore once the release is published), but whether that has much effect depends on the ecosystem of the packages using the feature. Aside from that, it will likely take years before all projects adopt _immutable releases_. * Action runners often don't even point to a tag, but to a branch, making the used action runner a moving target. _Note: this type of "floating major" for action runners used to be promoted as good practice when the ecosystem was "young". Insights have since changed._ While it is convenient to use "floating majors" of action runners, as this means you only need to update the workflows on a new major release of the action runner, the price is higher risk of malicious code being executed in workflows. Dependabot, by now, can automatically submit PRs to update pinned action runners too, as long as the commit-hash pinned runner is followed by a comment listing the released version the commit is pointing to. So, what with Dependabot being capable of updating workflows with pinned action runners, I believe it is time to update the workflows to the _current_ best practice of using commit-hash pinned action runners. The downside of this change is that there will be more frequent Dependabot PRs. If this would become a burden/irritating, the following mitigations can be implemented: 1. Updating the Dependabot config to group updates instead of sending individual PRs per action runner. 2. A workflow to automatically merge Dependabot PRs as long as CI passes. Ref: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions --- .github/workflows/end-to-end-tests.yml | 4 +-- .github/workflows/happy-new-year.yml | 6 ++--- .github/workflows/label-merge-conflicts.yml | 2 +- .github/workflows/label-new-prs.yml | 6 ++--- .github/workflows/label-remove-outdated.yml | 8 +++--- .github/workflows/quicktest.yml | 6 ++--- .github/workflows/reusable-build-phar.yml | 10 +++---- .github/workflows/test.yml | 30 ++++++++++----------- .github/workflows/validate.yml | 26 +++++++++--------- .github/workflows/verify-release.yml | 10 +++---- 10 files changed, 54 insertions(+), 54 deletions(-) diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml index 1b1f297b76..07da89974f 100644 --- a/.github/workflows/end-to-end-tests.yml +++ b/.github/workflows/end-to-end-tests.yml @@ -39,10 +39,10 @@ jobs: run: git config --global core.autocrlf input - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: "error_reporting=-1, display_errors=On, display_startup_errors=On" diff --git a/.github/workflows/happy-new-year.yml b/.github/workflows/happy-new-year.yml index 0f0a9097de..d9a4c59b92 100644 --- a/.github/workflows/happy-new-year.yml +++ b/.github/workflows/happy-new-year.yml @@ -49,13 +49,13 @@ jobs: run: "echo current year: ${{ steps.year.outputs.NEW_YEAR }} - previous year: ${{ steps.year.outputs.PREVIOUS_YEAR }}" - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ steps.branches.outputs.BASE }} - name: Update the year in the copyright tag in the fixed file id: findreplace - uses: jacobtomlinson/gha-find-replace@v3 + uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # 3.0.5 with: find: "* @copyright ${{ steps.year.outputs.PREVIOUS_YEAR }} Squiz Pty Ltd (ABN 77 084 670 600)" replace: "* @copyright ${{ steps.year.outputs.NEW_YEAR }} Squiz Pty Ltd (ABN 77 084 670 600)" @@ -73,7 +73,7 @@ jobs: run: exit 1 - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: base: ${{ steps.branches.outputs.BASE }} branch: ${{ steps.branches.outputs.PR_BRANCH }} diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml index f086fefd3e..a4e9f6a94c 100644 --- a/.github/workflows/label-merge-conflicts.yml +++ b/.github/workflows/label-merge-conflicts.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Check PRs for merge conflicts - uses: eps1lon/actions-label-merge-conflict@v3 + uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 with: dirtyLabel: "Status: has merge conflict" repoToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/label-new-prs.yml b/.github/workflows/label-new-prs.yml index 8a083b6e3d..f1874505fb 100644 --- a/.github/workflows/label-new-prs.yml +++ b/.github/workflows/label-new-prs.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Label new PRs - uses: srvaroa/labeler@v1 + uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0 env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -38,10 +38,10 @@ jobs: steps: # Checkout is needed to use the `use_local_config` option. - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Verify changes to the labeling logic - uses: srvaroa/labeler@v1 + uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0 with: use_local_config: true fail_on_error: true diff --git a/.github/workflows/label-remove-outdated.yml b/.github/workflows/label-remove-outdated.yml index 14acf10cc5..d72393da72 100644 --- a/.github/workflows/label-remove-outdated.yml +++ b/.github/workflows/label-remove-outdated.yml @@ -18,7 +18,7 @@ jobs: name: Clean up labels on issue close steps: - - uses: mondeja/remove-labels-gh-action@v2 + - uses: mondeja/remove-labels-gh-action@b7118e4ba5dca74acf1059b3cb7660378ff9ab1a # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} labels: | @@ -35,7 +35,7 @@ jobs: name: "Clean up labels on PR (re-)review request" steps: - - uses: mondeja/remove-labels-gh-action@v2 + - uses: mondeja/remove-labels-gh-action@b7118e4ba5dca74acf1059b3cb7660378ff9ab1a # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} labels: | @@ -48,7 +48,7 @@ jobs: name: Clean up labels on PR merge steps: - - uses: mondeja/remove-labels-gh-action@v2 + - uses: mondeja/remove-labels-gh-action@b7118e4ba5dca74acf1059b3cb7660378ff9ab1a # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} labels: | @@ -68,7 +68,7 @@ jobs: name: Clean up labels on PR close steps: - - uses: mondeja/remove-labels-gh-action@v2 + - uses: mondeja/remove-labels-gh-action@b7118e4ba5dca74acf1059b3cb7660378ff9ab1a # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} labels: | diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml index bfd1aaa870..eb9222f048 100644 --- a/.github/workflows/quicktest.yml +++ b/.github/workflows/quicktest.yml @@ -49,10 +49,10 @@ jobs: run: git config --global core.autocrlf input - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: 'error_reporting=-1, display_errors=On, display_startup_errors=On' @@ -61,7 +61,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") diff --git a/.github/workflows/reusable-build-phar.yml b/.github/workflows/reusable-build-phar.yml index 6b0fcb197b..2d966b2314 100644 --- a/.github/workflows/reusable-build-phar.yml +++ b/.github/workflows/reusable-build-phar.yml @@ -33,10 +33,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ inputs.phpVersion }} coverage: none @@ -48,7 +48,7 @@ jobs: # Provide provenance for generated binaries. - name: Generate artifact attestations if: ${{ inputs.createAttestations == true }} - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: | ${{ github.workspace }}/phpcs.phar @@ -56,7 +56,7 @@ jobs: - name: Upload the PHPCS phar if: ${{ inputs.uploadArtifacts == true }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phpcs-phar path: ./phpcs.phar @@ -65,7 +65,7 @@ jobs: - name: Upload the PHPCBF phar if: ${{ inputs.uploadArtifacts == true }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: phpcbf-phar path: ./phpcbf.phar diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f91ebb45d8..ab5b04b277 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -114,12 +114,12 @@ jobs: run: git config --global core.autocrlf input - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: "libxml2: find the latest relevant tag" if: ${{ matrix.libxml_minor }} id: libxml_version - uses: oprypin/find-latest-tag@v1 + uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1 # v1.1.2 with: repository: GNOME/libxml2 releases-only: false # The libxml2 repository doesn't use GitHub's "release" feature. @@ -138,7 +138,7 @@ jobs: - name: "libxml2: restore cache" if: ${{ matrix.libxml_minor }} id: libxml_cache_restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: "libxml2-${{ steps.libxml_patch_version.outputs.PATCH }}" key: "${{ matrix.os }}-libxml-${{ matrix.libxml_minor }}-${{ steps.libxml_patch_version.outputs.PATCH }}" @@ -166,7 +166,7 @@ jobs: - name: "libxml2: save cache" if: ${{ matrix.libxml_minor && steps.libxml_cache_restore.outputs.cache-hit != 'true' }} id: libxml_cache_save - uses: actions/cache/save@v4 + uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: "libxml2-${{ steps.libxml_patch_version.outputs.PATCH }}" key: ${{ steps.libxml_cache_restore.outputs.cache-primary-key }} @@ -197,7 +197,7 @@ jobs: # yamllint enable rule:line-length - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: ${{ steps.set_ini.outputs.PHP_INI }} @@ -209,7 +209,7 @@ jobs: # This action also handles the caching of the dependencies. - name: Set up node if: ${{ matrix.custom_ini == false }} - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: '20' @@ -224,7 +224,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: composer-options: ${{ matrix.php == '8.5' && '--ignore-platform-req=php+' || '' }} custom-cache-suffix: $(date -u "+%Y-%m") @@ -257,7 +257,7 @@ jobs: - name: Download the PHPCS phar if: ${{ matrix.custom_ini == false }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: phpcs-phar @@ -302,7 +302,7 @@ jobs: run: git config --global core.autocrlf input - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup ini config if: ${{ matrix.custom_ini == true && matrix.os != 'windows-latest' }} @@ -313,7 +313,7 @@ jobs: echo 'PHP_INI=, date.timezone=Australia/Sydney, short_open_tag=On' >> "$GITHUB_OUTPUT" - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: ${{ matrix.php }} ini-values: error_reporting=-1, display_errors=On, display_startup_errors=On${{ steps.set_ini.outputs.PHP_INI }} @@ -322,7 +322,7 @@ jobs: # This action also handles the caching of the dependencies. - name: Set up node if: ${{ matrix.custom_ini == false }} - uses: actions/setup-node@v5 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: '20' @@ -337,7 +337,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: "ramsey/composer-install@v3" + uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # 3.1.1 with: # Bust the cache at least once a month - output format: YYYY-MM. custom-cache-suffix: $(date -u "+%Y-%m") @@ -385,7 +385,7 @@ jobs: - name: "Upload coverage results to Coveralls (normal run)" if: ${{ success() }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: format: clover file: build/logs/clover.xml @@ -394,7 +394,7 @@ jobs: - name: "Upload coverage results to Coveralls (CBF run)" if: ${{ matrix.os != 'windows-latest' && success() }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: format: clover file: build/logs/clover-cbf.xml @@ -409,6 +409,6 @@ jobs: steps: - name: Coveralls Finished - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: parallel-finished: true diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e31a3cae92..6791eee7f3 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -26,10 +26,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: 'latest' coverage: none @@ -52,38 +52,38 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Validate the XSD file. - name: Validate XSD against schema - uses: phpcsstandards/xmllint-validate@v1 + uses: phpcsstandards/xmllint-validate@0fd9c4a9046055f621fca4bbdccb8eab1fd59fdc # v1.0.1 with: pattern: "phpcs.xsd" xsd-url: "https://www.w3.org/2012/04/XMLSchema.xsd" # Validate the XML ruleset files. - name: Validate rulesets against schema - uses: phpcsstandards/xmllint-validate@v1 + uses: phpcsstandards/xmllint-validate@0fd9c4a9046055f621fca4bbdccb8eab1fd59fdc # v1.0.1 with: pattern: "./src/Standards/*/ruleset.xml" xsd-file: "phpcs.xsd" # Validate the Documentation XML files. - name: Validate documentation XML - uses: phpcsstandards/xmllint-validate@v1 + uses: phpcsstandards/xmllint-validate@0fd9c4a9046055f621fca4bbdccb8eab1fd59fdc # v1.0.1 with: pattern: "./src/Standards/*/Docs/*/*Standard.xml" xsd-url: "https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd" # Validate dev tool related XML files. - name: Validate Project PHPCS ruleset against schema - uses: phpcsstandards/xmllint-validate@v1 + uses: phpcsstandards/xmllint-validate@0fd9c4a9046055f621fca4bbdccb8eab1fd59fdc # v1.0.1 with: pattern: "phpcs.xml.dist" xsd-file: "phpcs.xsd" - name: "Validate PHPUnit config for well-formedness" - uses: phpcsstandards/xmllint-validate@v1 + uses: phpcsstandards/xmllint-validate@0fd9c4a9046055f621fca4bbdccb8eab1fd59fdc # v1.0.1 with: pattern: "phpunit.xml.dist" @@ -99,7 +99,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Updating the lists can fail intermittently, typically after Microsoft has released a new package. # This should not be blocking for this job, so ignore any errors from this step. @@ -113,7 +113,7 @@ jobs: # Show XML violations inline in the file diff. - name: Enable showing XML issues inline - uses: korelstar/xmllint-problem-matcher@v1 + uses: korelstar/xmllint-problem-matcher@1bd292d642ddf3d369d02aaa8b262834d61198c0 # v1.2.0 # Check the code-style consistency of the XML files. - name: Check XML code style @@ -157,14 +157,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up problem matcher - uses: lumaxis/shellcheck-problem-matchers@v2 + uses: lumaxis/shellcheck-problem-matchers@b02a1715a00c729b20eed3ebb7edf56fa9a433ba # v2.1.0 with: format: gcc - name: Run ShellCheck - uses: ludeeus/action-shellcheck@2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: format: gcc diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index ac3f070f7a..9d3f5bbe02 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Trigger schema website update - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.WORKFLOW_DISPATCH_PAT }} repository: PHPCSStandards/schema.phpcodesniffer.com @@ -53,7 +53,7 @@ jobs: steps: - name: Trigger wiki update - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.WORKFLOW_DISPATCH_DOCS_PAT }} repository: PHPCSStandards/PHP_CodeSniffer-documentation @@ -83,7 +83,7 @@ jobs: steps: - name: Retrieve latest release info - uses: octokit/request-action@v2.x + uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0 id: get_latest_release with: route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest @@ -146,7 +146,7 @@ jobs: run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }} - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: 'latest' ini-values: error_reporting=-1, display_errors=On, display_startup_errors=On @@ -216,7 +216,7 @@ jobs: run: "echo ${{ steps.version.outputs.TAG }}" - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # 2.35.5 with: php-version: 'latest' ini-values: error_reporting=-1, display_errors=On, display_startup_errors=On From deab41d5fd874716feafd913dab94b72a5ec5164 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 19 Sep 2025 17:50:40 +0200 Subject: [PATCH 2/2] Dependabot: update config This commit makes two changes to the Dependabot config: 1. It introduces a "cooldown" period for updates to a new major release of action runners. What this means, is that for updates to a new major, the Dependabot will be delayed by 10 days, which should give projects the chance to fix any "teething problems". 2. It introduces a "group". By default Dependabot raises individual PRs for each update. Now, it will group updates to new minor or patch release for all action runners into a single PR. Updates to new major releases of action runners will still be raised as individual PRs. Refs: * https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates * https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference --- .github/dependabot.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9426200cbb..31dcdc6fec 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,14 @@ updates: prefix: "GH Actions:" labels: - "Type: chores/QA" + cooldown: + semver-major-days: 10 + groups: + action-runners: + applies-to: version-updates + update-types: + - "minor" + - "patch" # Handle updates for the orphan gh-pages branch. - package-ecosystem: "github-actions" @@ -28,3 +36,11 @@ updates: prefix: "GH Pages/Actions:" labels: - "Type: chores/QA" + cooldown: + semver-major-days: 10 + groups: + action-runners: + applies-to: version-updates + update-types: + - "minor" + - "patch"