[MRG] Automatically update GitHub Actions

[DimitriPapadopoulos]

Actually automatically create a pull request.

Reference issue

Tasks

• Unit tests added that reproduce issue or prove feature is working
• Fix or feature added
• Documentation and examples updated (if relevant)
• Unit tests passing and coverage at 100% after adding fix/feature
• Type annotations updated and passing with mypy
• Apps updated and tested (if relevant)

[codecov]

Codecov Report

Merging #869 (e1aa622) into master (708ccda) will decrease coverage by 0.16%.
Report is 2 commits behind head on master.
The diff coverage is n/a.

❗ Current head e1aa622 differs from pull request most recent head e54cc74. Consider uploading reports for the commit e54cc74 to get more accurate results

@@             Coverage Diff             @@
##            master     #869      +/-   ##
===========================================
- Coverage   100.00%   99.84%   -0.16%     
===========================================
  Files           28       28              
  Lines         8639     8639              
===========================================
- Hits          8639     8626      -13     
- Misses           0       13      +13     

see 1 file with indirect coverage changes

[mrbean-bremen]

Not sure if we really want a daily update here... I leave that for @scaramallion to decide.
It probably makes sense to add this to the configuration of pydicom (and other pydicom repos). I dimly remember some discussion about using shared workflows in an organization (@darcymason ?), and there seems also to be the possibility to use the dependabot throughout an organization. Maybe we should think about this.

[DimitriPapadopoulos]

I do not suggest updating all dependencies here, just GitHub actions. So no daily updates involved - probably yearly at most.

See :
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#example-dependabotyml-file-for-github-actions

[mrbean-bremen]

Yes, I agree that this makes sense - I just thought that it might be even better to use this througout the organization (I haven't really checked how to do that yet). Updating workflow versions is something I have done manually often enough in different repos, and it every time involves a check for the current version of each workflow which is a bit tedious.
About the frequency of the checks - I personally don't mind if it is dayly or weekly.

[darcymason]

I dimly remember some discussion about using shared workflows in an organization (@darcymason ?), and there seems also to be the possibility to use the dependabot throughout an organization. Maybe we should think about this.

I don't remember any specific discussion (that's not to say it didn't happen), but I certainly support the simplicity of an organization-wide dependabot, if that can work for everyone.

As to frequencies, I've been finding the frequent micro-updates of ruff and pre-commit in the pydicom repo to be more annoying than they are worth. I was thinking of suggesting monthly updates for those. Having said that, @mrbean-bremen has been actually clicking to merge them in most of the time, so I can live with it 😉

[mrbean-bremen]

but I certainly support the simplicity of an organization-wide dependabot, if that can work for everyone

According to the linked site, this has to be done in the settings by an organization admin, so that is something that falls back to you 😀

As for merging the updates - as long as all checks pass (which is most of the time), this can be done very fast, so is basically no work...

[scaramallion]

Thanks @DimitriPapadopoulos