Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#github-actions
What part(s) of the article would you like to see updated?
Dependabot only supports updates to GitHub Actions using the GitHub repository syntax, such as actions/checkout@v5. Dependabot will ignore actions or reusable workflows referenced locally (for example, ./.github/actions/foo.yml).
Article seem to suggest that the only supported syntax is actions/checkout@v5 - pinning version by tag.
But dependabot also supports providing hash + version comment, see
https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/
dependabot/dependabot-core#5951
Dependabot also support updating from arbitrary hash not associated with the tag to the latest hash on the branch (and not to the latest release):
example
From 5651640dc72edabe1a0dc575019d2178acb1b10d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 19 Nov 2025 10:05:31 +0000
Subject: [PATCH] Bump hendrikmuhs/ccache-action in the all-actions group
Bumps the all-actions group with 1 update: [hendrikmuhs/ccache-action](https://github.com/hendrikmuhs/ccache-action).
Updates `hendrikmuhs/ccache-action` from 15457da8f7bbf9b2c71f2efebd847c1a84650208 to 5ebbd400eff9e74630f759d94ddd7b6c26299639
- [Release notes](https://github.com/hendrikmuhs/ccache-action/releases)
- [Commits](https://github.com/hendrikmuhs/ccache-action/compare/15457da8f7bbf9b2c71f2efebd847c1a84650208...5ebbd400eff9e74630f759d94ddd7b6c26299639)
---
updated-dependencies:
- dependency-name: hendrikmuhs/ccache-action
dependency-version: 5ebbd400eff9e74630f759d94ddd7b6c26299639
dependency-type: direct:production
dependency-group: all-actions
...
Signed-off-by: dependabot[bot] <support@github.com>
---
.github/workflows/build-heavy-compile.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/build-heavy-compile.yml b/.github/workflows/build-heavy-compile.yml
index dfba755..c77cd5b 100644
--- a/.github/workflows/build-heavy-compile.yml
+++ b/.github/workflows/build-heavy-compile.yml
@@ -9,7 +9,7 @@ jobs:
steps:
- name: Checkout code
- uses: hendrikmuhs/ccache-action@15457da8f7bbf9b2c71f2efebd847c1a84650208
+ uses: hendrikmuhs/ccache-action@5ebbd400eff9e74630f759d94ddd7b6c26299639
- name: Configure build
run: |
Documenting this will clearly state what is supported and how it works, removing confusion.
Additional information
No response
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#github-actions
What part(s) of the article would you like to see updated?
Article seem to suggest that the only supported syntax is
actions/checkout@v5- pinning version by tag.But dependabot also supports providing hash + version comment, see
https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/
dependabot/dependabot-core#5951
Dependabot also support updating from arbitrary hash not associated with the tag to the latest hash on the branch (and not to the latest release):
example
Documenting this will clearly state what is supported and how it works, removing confusion.
Additional information
No response