Keep GitHub Actions up to date with GitHub's Dependabot

[cclauss]

• Keeping your software supply chain secure with Dependabot
• Keeping your actions up to date with Dependabot
• Configuration options for the dependabot.yml file - package-ecosystem

To see all GitHub Actions dependencies, type:
% git grep 'uses: ' .github/workflows/

.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
.github/workflows/ci.yml:        uses: futureware-tech/simulator-action@v4
.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
.github/workflows/ci.yml:        uses: gradle/actions/setup-gradle@v3
.github/workflows/ci.yml:        uses: actions/cache@v4
.github/workflows/ci.yml:        uses: reactivecircus/android-emulator-runner@v2
.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/setup@v3
.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: astral-sh/setup-uv@v6
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/config@v3
.github/workflows/ci.yml:        uses: subosito/flutter-action@v2
.github/workflows/ci.yml:        uses: actions/checkout@v4
.github/workflows/ci.yml:        uses: astral-sh/setup-uv@v6
.github/workflows/ci.yml:        uses: kuhnroyal/flutter-fvm-config-action/setup@v3

[ndonkoHenri]

Thanks for your contribution. Dependabot will be added as part of #212.

[FeodorFitsner]

Today we see more and more supply-chain attacks and npm/pypi packages and GHA actions are the most frequent targets. So, I feel a bit uncomfortable to auto-bump anything in GHA workflow with auto-tools - I like thorough studying of all dependencies and prefer manual bumps. Hope you understand.

[cclauss]

Understood.

https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html

    cooldown: 
      default-days: 7

[ndonkoHenri]

The addition of Dependabot was rediscussed internally, and we opted not to have it anymore. Dependabot cooldown feature is cool, but yh, a supply chain attack could be more subtle and take months before discovery, who knows? :)

The bumping of actions versions will be done manually, as it sounds safer to us. (cooldown = undefined/several-months; attackers can't know when we will bump 😈). 🙂

[cclauss]

OK. Just watch for annotations on GitHub Actions runs that say they are running on EoL versions of Node.js because that is a well documented attack surface.

Scroll to the very bottom of:
https://github.com/flet-dev/serious-python/actions/runs/27725655225

Test Bridge example on iOS (Python 3.12)]
Node.js 20 is deprecated. The following actions target Node.js 20 but are being forced to run on Node.js 24: futureware-tech/simulator-action@v5.
For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/