With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency.
-
To configure the Dependabot configuration file to update Actions navigate to https://app.stepsecurity.io/securerepo. Enter your repository in the textbox and click on
Analyze Repository. You will see several recommendations for improving GitHub Actions Security for your repository. -
Keep the
Update Dependabot configurationchecked and un-check the rest of the recommendations for now. We will check them in future tutorials. -
Click on
Create Pull Requestbutton. You will see a pull request with a new Dependabot configuration. -
Merge the pull request to apply the fix.
-
Next, you should see pull requests created by Dependabot to update a few Actions. You will notice that Dependabot also updates the tags mentioned in the comments.
https://app.stepsecurity.io/securerepo has been used by over 500 public repositories to apply GitHub Actions Security best practices. You can browse pull requests for the Top 50 repositories at https://app.stepsecurity.io/securerepo/trending