Skip to content

chore: enable Dependabot weekly GitHub Actions bumps#2441

Merged
echarlaix merged 1 commit into
mainfrom
chore/add-dependabot-github-actions
May 29, 2026
Merged

chore: enable Dependabot weekly GitHub Actions bumps#2441
echarlaix merged 1 commit into
mainfrom
chore/add-dependabot-github-actions

Conversation

@hf-dependantbot-rollout
Copy link
Copy Markdown
Contributor

@hf-dependantbot-rollout hf-dependantbot-rollout Bot commented May 26, 2026

Summary

Adds .github/dependabot.yml so this repo's pinned GitHub Action SHAs
get bumped automatically once a week.

All action updates are grouped into one weekly PR (not one PR per
action) to keep the noise down, and Dependabot waits 7 days after a
release before opening the bump (cooldown). The 7-day cooldown is
aligned with the org's pinact min_age: 7 policy — so by the time
the Dependabot PR lands, the SHA is already old enough for the security
gate to accept it. The bot opens the PR; the org-wide security gate
(pinact + denylist + deny-packages + osv-scan) runs on it; a human
merges.

Why

GitHub Action SHAs that were safe when pinned can drift out of date —
missing security patches, bug fixes, or new features. Dependabot keeps
them current. Combined with the org-wide validation workflow (which
blocks compromised SHAs from landing), the bumps are safe by
construction.

Closes huggingface/tracking-issues#530

@echarlaix echarlaix merged commit 83c88b8 into main May 29, 2026
16 of 19 checks passed
@echarlaix echarlaix deleted the chore/add-dependabot-github-actions branch May 29, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@echarlaix echarlaix echarlaix approved these changes

Assignees

No one assigned

Labels

dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@echarlaix