Skip to content

Keep GitHub Actions up to date with GitHub's Dependabot#2435

Merged
danielaskdd merged 1 commit intoHKUDS:mainfrom
cclauss:patch-1
Dec 1, 2025
Merged

Keep GitHub Actions up to date with GitHub's Dependabot#2435
danielaskdd merged 1 commit intoHKUDS:mainfrom
cclauss:patch-1

Conversation

@cclauss
Copy link
Contributor

@cclauss cclauss commented Nov 28, 2025

To see all GitHub Actions dependencies, type:
% git grep 'uses: ' .github/workflows/

Description

[Briefly describe the changes made in this pull request.]

Related Issues

[Reference any related issues or tasks addressed by this pull request.]

Changes Made

[List the specific changes made in this pull request.]

Checklist

  • Changes tested locally
  • Code reviewed
  • Documentation updated (if necessary)
  • Unit tests added (if applicable)

Additional Notes

[Add any additional notes or context for the reviewer(s).]

@cclauss
Keep GitHub Actions up to date with GitHub's Dependabot
90e38c2 
* [Keeping your software supply chain secure with Dependabot](https://docs.github.com/en/code-security/dependabot)
* [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)
* [Configuration options for the `dependabot.yml` file - package-ecosystem](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem)

To see all GitHub Actions dependencies, type:
% `git grep 'uses: ' .github/workflows/`
@danielaskdd
Copy link
Collaborator

danielaskdd commented Dec 1, 2025

Automatic dependency updates pose the following issues:

  • potential compatibility problems with the system;
  • failure to update uv.lock, resulting in inconsistencies between the dependencies installed in Docker builds and those specified in pyproject.toml.

Given the lack of significant benefits, manual inspection and updating of dependencies are recommended.

@cclauss
Copy link
Contributor Author

cclauss commented Dec 1, 2025
edited
Loading

The "system" in this case is the GitHub Action runtime (not your local system), and Dependabot is created by and recommended by GitHub as stated in the commit message above. Upgrades to Actions can be security fixes, such as:

Which is missing here:

package-ecosystem: github-actions != package-ecosystem: uv --> These are GitHub Actions, not Python modules that uv installs from PyPI, so they cannot cause conflicts with things that uv installs.

@danielaskdd
Copy link
Collaborator

danielaskdd commented Dec 1, 2025

Due to compatibility requirements, certain modules such as numpy must remain on lower versions. Dependabot periodically raises PRs to trigger updates — how should this be addressed?

@danielaskdd danielaskdd merged commit 6fee81f into HKUDS:main Dec 1, 2025
4 checks passed
@danielaskdd
Copy link
Collaborator

danielaskdd commented Dec 1, 2025

I got your point. The let AI solved my concern in PR #2447.

@cclauss cclauss deleted the patch-1 branch December 1, 2025 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cclauss @danielaskdd