Description
Currently, Dependabot runs weekly to check for outdated GitHub Actions. If an update is found, it creates a pull request and merges it automatically. However, the update-dependent-repositories workflow is skipped in this process.
For repositories with Dependabot alerts enabled:
- Automated merging does not occur.
- When manually merging a PR created from a Dependabot alert, the
update-dependent-repositories workflow is still skipped.
This behavior may be incorrect, as the workflow should run when merging security-related updates from Dependabot alerts.
Expected behavior
- Pull requests related to GitHub Actions updates (created by Dependabot) should be merged automatically, and the
update-dependent-repositories workflow should be skipped for those.
- Pull requests created by Dependabot alerts should not be merged automatically.
- However, when a Dependabot alert PR is merged manually, the
update-dependent-repositories workflow should be triggered.
Possible Fix
A prefix could be introduced for pull requests related to GitHub Actions (e.g., (github-actions)), which can be used to determine whether the update-dependent-repositories workflow should be executed later.
Description
Currently, Dependabot runs weekly to check for outdated GitHub Actions. If an update is found, it creates a pull request and merges it automatically. However, the
update-dependent-repositoriesworkflow is skipped in this process.For repositories with Dependabot alerts enabled:
update-dependent-repositoriesworkflow is still skipped.This behavior may be incorrect, as the workflow should run when merging security-related updates from Dependabot alerts.
Expected behavior
update-dependent-repositoriesworkflow should be skipped for those.update-dependent-repositoriesworkflow should be triggered.Possible Fix
A prefix could be introduced for pull requests related to GitHub Actions (e.g.,
(github-actions)), which can be used to determine whether the update-dependent-repositories workflow should be executed later.