Merge pull request #291 from per1234/template-workflow-dependabot

Directly maintain template workflow dependencies via Dependabot

Author: per1234

.github/dependabot.yml

@@ -6,7 +6,7 @@ updates:
   # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/dependabot/README.md
   # See: https://docs.github.com/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
   - package-ecosystem: github-actions
-    directory: / # Check the repository's workflows under /.github/workflows/
+    directory: /.github/workflows/
     schedule:
       interval: daily
     labels:
@@ -16,12 +16,9 @@ updates:
 
   # Configure check for outdated GitHub Actions actions in workflow templates.
   - package-ecosystem: github-actions
-    # The workflows under the .github/workflows/ subfolder of this path will be checked.
-    directory: /workflow-templates/dependabot/workflow-template-copies/
+    directory: /workflow-templates/
     schedule:
       interval: daily
-    commit-message:
-      prefix: (DO NOT MERGE)
     labels:
       - "topic: infrastructure"
     assignees:

.github/workflows/check-dependabot-sync.yml

@@ -10,7 +10,6 @@
 [![Check npm status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-npm-task.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-npm-task.yml)
 [![Check General Formatting status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-general-formatting-task.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-general-formatting-task.yml)
 [![Check License status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-license.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-license.yml)
-[![Check Workflow Duplicates Sync status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-dependabot-sync.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-dependabot-sync.yml)
 [![Check CI Workflows Sync status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-ci-sync.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-ci-sync.yml)
 [![Check Community Health Files Sync status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-community-health-sync.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-community-health-sync.yml)
 [![Check Configuration Files Sync status](https://github.com/arduino/tooling-project-assets/actions/workflows/check-config-sync.yml/badge.svg)](https://github.com/arduino/tooling-project-assets/actions/workflows/check-config-sync.yml)

README.md

@@ -42,7 +42,6 @@ tasks:
     deps:
       - task: ci:sync
       - task: config:sync
-      - task: dependabot:sync
       - task: general:correct-spelling
       - task: general:format-prettier
       - task: github:sync
@@ -371,22 +370,6 @@ tasks:
           -s "{{.SCHEMA_PATH}}" \
           -d "{{.PROJECT_FOLDER}}/{{.DATA_PATH}}"
 
-  dependabot:sync:
-    desc: Sync workflow duplicates for dependabot checks
-    vars:
-      WORKFLOW_TEMPLATES_PATH: "./workflow-templates"
-      WORKFLOW_TEMPLATE_COPIES_PATH: "./workflow-templates/dependabot/workflow-template-copies/.github/workflows"
-    cmds:
-      # Sync workflow templates with the copies in the folder where Dependabot can check them for updates.
-      - mkdir --parents "{{.WORKFLOW_TEMPLATE_COPIES_PATH}}"
-      - rm --force "{{.WORKFLOW_TEMPLATE_COPIES_PATH}}"/*
-      - |
-        find "{{.WORKFLOW_TEMPLATES_PATH}}" \
-          -maxdepth 1 \
-          -type f \
-          -regex '.*\.ya?ml' \
-          -exec cp '{}' "{{.WORKFLOW_TEMPLATE_COPIES_PATH}}" \;
-
   docs:generate:
     desc: Create all generated documentation content
     # This is an "umbrella" task used to call any documentation generation processes the project has.

Taskfile.yml

@@ -23,6 +23,10 @@ Addition of, or requests for, any additional workflows that can be reusable betw
 
 ## Dependabot
 
-Dependabot is used to check for outdated action versions used in the workflow templates. Details about that are [here](dependabot/README.md).
+Dependabot is used to [check for outdated action versions](https://docs.github.com/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) used in the template workflows.
+
+Dependabot's PRs will occasionally try to pin to the patch version of the action (e.g., updating `uses: foo/bar@v1` to `uses: foo/bar@v2.3.4`). When the action author has [provided a major version ref](https://docs.github.com/actions/creating-actions/about-custom-actions#using-release-management-for-actions), use that instead (e.g., `uses: foo/bar@v2`). Once the major version has been updated in the workflow, Dependabot should not submit an update PR again until the next major version bump.
+
+---
 
 The same can be done for the workflows of any repository. See the instructions [here](assets/dependabot/README.md).

workflow-templates/README.md

@@ -6,7 +6,7 @@ updates:
   # Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/dependabot/README.md
   # See: https://docs.github.com/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
   - package-ecosystem: github-actions
-    directory: / # Check the repository's workflows under /.github/workflows/
+    directory: /.github/workflows/
     schedule:
       interval: daily
     labels: