Use Dependabot to update GitHub Actions workflows (#455)

The Actions we use have pinned versions and it's almost impossible to keep up with new releases of them. Add configuration for Dependabot to track the Actions versions and send pull requests when new versions are available. Remove the Cancel Workflow Action to avoid giving full access to a third party action. Co-authored-by: Santiago Soler <[email protected]>
fatiando · Feb 23, 2024 · e9ae7ff · e9ae7ff
1 parent 4ad6672
commit e9ae7ff
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 18 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -36,13 +36,6 @@ jobs:
  PYTHON: "3.11"
 
  steps:
- # Cancel any previous run of the test job
- # We pin the commit hash corresponding to v0.5.0, and not pinning the tag
- # because we are giving full access through the github.token.
- - name: Cancel Previous Runs
- uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163
- with:
- access_token: ${{ github.token }}
 
  # Checks-out your repository under $GITHUB_WORKSPACE
  - name: Checkout
@@ -154,7 +147,7 @@ jobs:
  path: doc/_build/html
 
  - name: Checkout the gh-pages branch in a separate folder
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+ uses: actions/checkout@v2
  with:
  ref: gh-pages
  # Checkout to this folder instead of the current one

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -109,7 +109,7 @@ jobs:
  - name: Publish to Test PyPI
  # Only publish to TestPyPI when a PR is merged (pushed to main)
  if: success() && github.event_name == 'push'
- uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0
+ uses: pypa/gh-action-pypi-publish@v1.8.11
  with:
  user: __token__
  password: ${{ secrets.TEST_PYPI_TOKEN}}
@@ -121,7 +121,7 @@ jobs:
  - name: Publish to PyPI
  # Only publish to PyPI when a release triggers the build
  if: success() && github.event_name == 'release'
- uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0
+ uses: pypa/gh-action-pypi-publish@v1.8.11
  with:
  user: __token__
  password: ${{ secrets.PYPI_TOKEN}}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -57,13 +57,6 @@ jobs:
  DEPENDENCIES: ${{ matrix.dependencies }}
 
  steps:
- # Cancel any previous run of the test job
- # We pin the commit hash corresponding to v0.5.0, and not pinning the tag
- # because we are giving full access through the github.token.
- - name: Cancel Previous Runs
- uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163
- with:
- access_token: ${{ github.token }}
 
  # Checks-out your repository under $GITHUB_WORKSPACE
  - name: Checkout
@@ -154,9 +147,10 @@ jobs:
  - name: Upload coverage to Codecov
  uses: codecov/codecov-action@v3
  with:
- token: ${{ secrets.CODECOV_TOKEN }}
  file: ./coverage.xml
  env_vars: OS,PYTHON,DEPENDENCIES
  # Fail the job so we know coverage isn't being updated. Otherwise it
  # can silently drop and we won't know.
  fail_ci_if_error: true
+ env:
+ CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}