Skip to content

Add dependabot config for GitHub Actions and Go modules#1062

Merged
liamfallon merged 3 commits into
kptdev:mainfrom
Nordix:dependabot_github_actions
Jun 22, 2026
Merged

Add dependabot config for GitHub Actions and Go modules#1062
liamfallon merged 3 commits into
kptdev:mainfrom
Nordix:dependabot_github_actions

Conversation

@efiacor

@efiacor efiacor commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Description

  • What changed: Added .github/dependabot.yml with github-actions and gomod ecosystems
  • Why it's needed: Actions are now pinned to SHAs (PR Harden SonarCloud workflow: scope permissions, fix injection vectors #1057) but need automated update PRs when new versions release. Go module updates were UI-configured only.
  • How it works: Dependabot will open weekly PRs bumping pinned action SHAs (with version comments) and Go module versions.

Related Issue(s)

Type of Change

  • Enhancement

Checklist

  • Code follows project style guidelines
  • Self-reviewed changes
  • Tests added/updated
  • Documentation added/updated
  • All tests and gating checks pass

AI Disclosure

  • I have used AI in the creation of this PR.

If so, please describe how:

  • Kiro to generate the dependabot configuration.
  • The author has fully verified all code.

@efiacor
Add dependabot config for GitHub Actions and Go modules
0dedde5 
Enable automated version updates for:
- github-actions: bumps pinned SHA refs with version comments
- gomod: Go module dependency updates (mirrors existing UI config)

Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
@efiacor efiacor requested review from a team and Copilot June 19, 2026 08:35
@efiacor efiacor added the enhancement New feature or request label Jun 19, 2026
@efiacor efiacor self-assigned this Jun 19, 2026
@efiacor efiacor added the enhancement New feature or request label Jun 19, 2026
@netlify

netlify Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for kpt-porch ready!

Name Link
🔨 Latest commit 10936c2
🔍 Latest deploy log https://app.netlify.com/projects/kpt-porch/deploys/6a352d324b289b00083c2512
😎 Deploy Preview https://deploy-preview-1062--kpt-porch.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jun 19, 2026
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot configuration to automate weekly update PRs for pinned GitHub Actions and Go module dependencies, aligning with the workflow hardening/pinning work referenced from PR #1057.

Changes:

  • Added .github/dependabot.yml with weekly github-actions updates.
  • Added a weekly gomod updates entry with custom commit message prefixes.

Comment thread .github/dependabot.yml
@efiacor
Potential fix for pull request finding
7e2fcdd 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Fiachra Corcoran <fiachra.corcoran@est.tech>
Copilot AI review requested due to automatic review settings June 19, 2026 08:42
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

aravindtga
aravindtga previously approved these changes Jun 19, 2026
View reviewed changes

@aravindtga aravindtga left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copyright can be added.

@dosubot dosubot Bot added the lgtm #ededed label Jun 19, 2026
@efiacor
Add license comments to dependabot.yml
10936c2 
Add licensing information and update dependabot configuration.
@sonarqubecloud

sonarqubecloud Bot commented Jun 19, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@liamfallon liamfallon merged commit d71f6d8 into kptdev:main Jun 22, 2026
30 of 32 checks passed
@efiacor efiacor deleted the dependabot_github_actions branch June 22, 2026 09:21
@efiacor efiacor mentioned this pull request Jun 22, 2026
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aravindtga aravindtga aravindtga approved these changes

@liamfallon liamfallon liamfallon approved these changes

@kispaljr kispaljr Awaiting requested review from kispaljr kispaljr is a code owner

@mozesl-nokia mozesl-nokia Awaiting requested review from mozesl-nokia mozesl-nokia is a code owner

Assignees

@efiacor efiacor

Labels

enhancement New feature or request lgtm #ededed size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@efiacor @aravindtga @liamfallon