Skip to content

Create dependabot.yml and update actions #291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
+15 −9
Open

Create dependabot.yml and update actions #291

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
17b1977
Create dependabot.yml
abhro Nov 25, 2025
a12fa5d
Use 'min' version specifier for setup-julia action
abhro Nov 25, 2025
f9d4440
Bump actions/checkout version from 4 to 6
abhro Nov 25, 2025
39a33a5
Use `--project=@temp` to directly create a temporary julia environment
abhro Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/" # Location of package manifests
schedule:
interval: "monthly"
Comment on lines +4 to +7
Copy link

@gemini-code-assist gemini-code-assist bot Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This Dependabot configuration can be improved for better security and maintainability:

  1. Update Frequency: A monthly interval is quite long and can delay important security patches. It's recommended to use a weekly interval to get updates faster.
  2. PR Management: Adding labels and customizing the commit-message helps in organizing and tracking dependency updates. For example, you can add a dependencies label and use a conventional commit prefix like chore.

Here is a suggested improved configuration.

  - package-ecosystem: "github-actions"
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
    commit-message:
      prefix: "chore"
      include: "scope"

Copy link
Collaborator

@asinghvi17 asinghvi17 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Monthly is probably fine

4 changes: 2 additions & 2 deletions .github/workflows/CI.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,14 @@ jobs:
fail-fast: false
matrix:
version:
- '1.6' # Replace this with the minimum Julia version that your package supports. E.g. if your package requires Julia 1.5 or higher, change this to '1.5'.
- 'min'
Copy link
Collaborator

@asinghvi17 asinghvi17 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- 'min'
- 'lts'

Copy link
Contributor Author

@abhro abhro Nov 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it, julia-action/setup-julia uses 'min' to read the repo's Project.toml to select the earliest version. If the CI is failing on that, should the minimum supported Julia version in Project.toml be bumped up?

Copy link
Collaborator

@asinghvi17 asinghvi17 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah interesting, yeah in that case we should bump it up to 1.10 probably.

Copy link
Contributor Author

@abhro abhro Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in #292 👍

- '1' # Leave this line unchanged. '1' will automatically expand to the latest stable 1.x release of Julia.
os:
- ubuntu-latest
arch:
- x64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: julia-actions/setup-julia@v2
with:
version: ${{ matrix.version }}
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/DocPreviewCleanup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout gh-pages branch
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
ref: gh-pages
- uses: julia-actions/setup-julia@v2
with:
version: '1'
- name: Check for stale PR previews
shell: julia {0}
shell: julia --color=yes --project=@temp {0}
run: |
using Pkg
pkg"activate --temp"
pkg"add HTTP JSON3"
Pkg.add(["HTTP", "JSON3"])

using HTTP
using JSON3
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/Documenter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Setup Julia
uses: julia-actions/setup-julia@v1
- name: Load Julia packages from cache
Expand All @@ -51,7 +51,7 @@ jobs:
id: julia-cache-save
if: cancelled() || failure()
uses: actions/cache/save@v4
with:
with:
path: |
${{ steps.julia-cache.outputs.cache-paths }}
key: ${{ steps.julia-cache.outputs.cache-key }}
2 changes: 1 addition & 1 deletion .github/workflows/enforce-changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
changelog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: dangoslen/changelog-enforcer@v3
with:
changeLogPath: 'CHANGELOG.md'
Expand Down
Loading