Skip to content

[CI] Add github-actions ecosystem to Dependabot#12823

Open
jbampton wants to merge 1 commit intoapache:mainfrom
jbampton:add-dependabot-for-actions
Open

[CI] Add github-actions ecosystem to Dependabot#12823
jbampton wants to merge 1 commit intoapache:mainfrom
jbampton:add-dependabot-for-actions

Conversation

@jbampton
Copy link
Member

@jbampton jbampton commented Mar 17, 2026

Group updates to reduce repo noise

Setup to run weekly.

Added 7 day cooldown period

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference

Description

This PR...

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

@codecov
Copy link

codecov bot commented Mar 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.94%. Comparing base (93239e0) to head (9decc77).

Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #12823      +/-   ##
============================================
- Coverage     17.95%   17.94%   -0.01%     
+ Complexity    16259    16256       -3     
============================================
  Files          5954     5954              
  Lines        534838   534838              
  Branches      65423    65423              
============================================
- Hits          96010    96000      -10     
- Misses       428053   428063      +10     
  Partials      10775    10775
Flag Coverage Δ
uitests 3.65% <ø> (ø)
unittests 19.06% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jbampton
Copy link
Member Author

jbampton commented Mar 17, 2026

refs #12164

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Mar 17, 2026

@jbampton , would it be possible to run only if org/repo is apache/cloudstack and if branch in {main, 22, …} ?

@DaanHoogland DaanHoogland requested a review from vishesh92 March 17, 2026 09:43
@jbampton
Copy link
Member Author

jbampton commented Mar 17, 2026

@jbampton , would it be possible to run only if org/repo is apache/cloudstack and if branch in {main, 22, …} ?

From Google:

To run Dependabot only on the upstream repository and not on forks, you no longer need to manually disable it in every fork; Dependabot version updates are now disabled by default for all new forks created after November 7, 2022.
If you are dealing with forks created before that date, or if updates were previously enabled, you can manage them as follows:

  1. Default Behaviour for Forks
  • New Forks: When a repository with an existing dependabot.yml is forked, version updates are automatically disabled. The owner of the fork must explicitly click "Enable" in their repository's settings to start receiving updates.
  • Existing/Old Forks: For forks created before the 2022 change, Dependabot may still be active if it was inherited from the upstream config.
  1. How to Manually Disable on a Fork
    If Dependabot is active on a fork and you want it stopped, use one of these methods:
  • Repository Settings: Go to Settings > Code security and analysis (or Advanced security) and click Disable next to "Dependabot version updates".
  • Re-forking: Delete the existing fork and re-create it; the new fork will have Dependabot disabled by default.
  • Delete Configuration: Some users remove the .github/dependabot.yml file from their fork's branch, though this can cause merge conflicts with the upstream repository later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vishesh92 vishesh92 Awaiting requested review from vishesh92

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbampton @DaanHoogland