ci: update GitHub Actions and add Dependabot#1
Conversation
There was a problem hiding this comment.
Pull request overview
Updates repository automation by refreshing GitHub Actions references and introducing a shared Dependabot configuration to keep workflow and Python dependencies up to date.
Changes:
- Bump action versions in CI and release workflows.
- Add
.github/dependabot.ymlto manage updates for GitHub Actions and Python (pip ecosystem) dependencies. - Standardize dependency update cadence/labels/groups for automation PRs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | Updates action versions used for building, publishing, and creating GitHub releases. |
| .github/workflows/ci.yml | Updates action versions used across lint/typecheck/test/build jobs. |
| .github/dependabot.yml | Adds weekly grouped Dependabot updates for GitHub Actions and pip dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| id-token: write | ||
| steps: | ||
| - name: Download build artifacts | ||
| uses: actions/download-artifact@v5 | ||
| uses: actions/download-artifact@v8.0.1 |
There was a problem hiding this comment.
The publish job sets job-level permissions to only id-token: write, which implicitly disables other scopes. actions/download-artifact typically requires actions: read (and may require contents: read depending on repo settings), so this step is likely to fail with 403. Consider adding the minimal additional permissions needed for downloading artifacts while keeping the job locked down for the PyPI publish step.
|
|
||
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| day: "monday" | ||
| time: "06:15" | ||
| timezone: "America/New_York" | ||
| open-pull-requests-limit: 10 | ||
| labels: | ||
| - "dependencies" | ||
| - "python" | ||
| commit-message: | ||
| prefix: "deps" | ||
| groups: | ||
| python-dependencies: | ||
| patterns: | ||
| - "*" |
There was a problem hiding this comment.
This repo uses uv.lock (and CI runs uv sync), but Dependabot pip updates won't update uv.lock. That will likely produce Dependabot PRs that change pyproject.toml without updating the lockfile, breaking uv sync in CI. Consider disabling the pip ecosystem here, or adding an automated step/bot workflow that updates and commits uv.lock for Dependabot PRs.
| - package-ecosystem: "pip" | |
| directory: "/" | |
| schedule: | |
| interval: "weekly" | |
| day: "monday" | |
| time: "06:15" | |
| timezone: "America/New_York" | |
| open-pull-requests-limit: 10 | |
| labels: | |
| - "dependencies" | |
| - "python" | |
| commit-message: | |
| prefix: "deps" | |
| groups: | |
| python-dependencies: | |
| patterns: | |
| - "*" |
| - uses: actions/checkout@v6.0.2 | ||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v7 | ||
| uses: astral-sh/setup-uv@v8.1.0 | ||
| with: |
There was a problem hiding this comment.
These workflows pin actions by version tag (e.g., @v6.0.2). GitHub recommends pinning third-party actions to a full commit SHA to reduce supply-chain risk from retagging. If you want automated upkeep, Dependabot can update the pinned SHAs.
Summary
Updated actions
Validation