Skip to content

ci: add Dependabot config for GitHub Actions#56

Merged
dmchaledev merged 1 commit into
mainfrom
claude/blissful-pascal-xa0hb0
Jul 19, 2026
Merged

ci: add Dependabot config for GitHub Actions#56
dmchaledev merged 1 commit into
mainfrom
claude/blissful-pascal-xa0hb0

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

  • Every workflow (ci.yml, checkov.yml, trivy-iac.yml) pins GitHub Actions by commit SHA, which is the right posture — but there's currently no automated mechanism to bump those pins forward. Security fixes and version updates to actions/checkout, hashicorp/setup-terraform, terraform-linters/setup-tflint, github/codeql-action, etc. would only be caught by someone manually noticing.
  • Adds .github/dependabot.yml for the github-actions ecosystem, scanning weekly and grouping all action bumps into a single PR to keep noise down.
  • No changes to modules/ — doesn't touch any Terraform, so terraform validate/tflint/checkov/trivy are unaffected.

Test plan

  • .github/dependabot.yml is valid YAML (verified locally)
  • Confirm Dependabot picks it up and opens its first grouped update PR after merge (Actions tab → Dependabot, or Insights → Dependency graph → Dependabot)

Generated by Claude Code

Every workflow pins actions by commit SHA (ci.yml, checkov.yml,
trivy-iac.yml) but nothing bumps those pins forward, so security
fixes and version updates go unnoticed. Add a weekly github-actions
Dependabot config to open update PRs automatically.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Me6WuTZnmXPco4uRymKKAs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants