Skip to content

ci: add Dependabot config to auto-update dependencies#409

Open
ganeshkumarashok wants to merge 1 commit into
containerd:mainfrom
ganeshkumarashok:add-dependabot
Open

ci: add Dependabot config to auto-update dependencies#409
ganeshkumarashok wants to merge 1 commit into
containerd:mainfrom
ganeshkumarashok:add-dependabot

Conversation

@ganeshkumarashok

Copy link
Copy Markdown

What

Adds .github/dependabot.yml to enable automated weekly dependency updates via Dependabot for:

  • GitHub Actions (/) — keeps CI/release workflow actions current (incl. security patches).
  • Git submodules (/) — the vendored C/C++ dependencies tracked as submodules.
  • Docker (/.github/workflows/release) — base image for the release build container.

Why

Dependencies in this repo are not currently tracked for updates, so security fixes in actions, submodules, and base images can go unnoticed. Dependabot will open PRs as updates become available for maintainers to review and merge.

Notes:

  • Schedule is weekly to balance freshness vs. PR noise — happy to switch to monthly or add grouping if preferred.
  • Submodule update PRs bump to the latest upstream commit and should be reviewed carefully.

Signed-off-by included (DCO).

Adds .github/dependabot.yml enabling weekly Dependabot updates for GitHub Actions, git submodules (vendored deps), and the release build Docker image. This addresses the gap of dependencies not being tracked/updated automatically.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ganeshkumar Ashokavardhanan <aganeshkumar@microsoft.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot configuration to keep key CI/release dependencies up to date, improving security patch uptake and reducing maintenance drift across workflows, submodules, and release container tooling.

Changes:

  • Introduces .github/dependabot.yml with a weekly schedule for GitHub Actions updates.
  • Enables weekly updates for git submodules tracked by the repository.
  • Enables weekly Docker updates for the release build container directory.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants