From f28d7015eef7997b1ddfdda8dd43838607a63c0c Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 3 Jan 2026 04:36:48 +0100 Subject: [PATCH 1/2] GH Actions: "pin" all action runners Recently there has been more and more focus on securing GH Actions workflows - in part due to some incidents. The problem with "unpinned" action runners is as follows: * Tags are mutable, which means that a tag could point to a safe commit today, but to a malicious commit tomorrow. Note that GitHub is currently beta-testing a new "immutable releases" feature (= tags and release artifacts can not be changed anymore once the release is published), but whether that has much effect depends on the ecosystem of the packages using the feature. Aside from that, it will likely take years before all projects adopt _immutable releases_. * Action runners often don't even point to a tag, but to a branch, making the used action runner a moving target. _Note: this type of "floating major" for action runners used to be promoted as good practice when the ecosystem was "young". Insights have since changed._ While it is convenient to use "floating majors" of action runners, as this means you only need to update the workflows on a new major release of the action runner, the price is higher risk of malicious code being executed in workflows. Dependabot, by now, can automatically submit PRs to update pinned action runners too, as long as the commit-hash pinned runner is followed by a comment listing the released version the commit is pointing to. So, what with Dependabot being capable of updating workflows with pinned action runners, I believe it is time to update the workflows to the _current_ best practice of using commit-hash pinned action runners. The downside of this change is that there will be more frequent Dependabot PRs. If this would become a burden/irritating, the following mitigations can be implemented: 1. Updating the Dependabot config to group updates instead of sending individual PRs per action runner. 2. A workflow to automatically merge Dependabot PRs as long as CI passes. Ref: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions --- .github/workflows/browserslist-db.yml | 2 +- .github/workflows/codeql-analysis.yml | 6 ++--- .github/workflows/cs.yml | 8 +++---- .github/workflows/deploy.yml | 14 ++++++------ .github/workflows/deprecation-check.yml | 2 +- .github/workflows/finish-coveralls.yml | 6 ++--- .github/workflows/generate_csv.yml | 2 +- .github/workflows/jslint.yml | 4 ++-- .github/workflows/jstest.yml | 14 ++++++------ .github/workflows/lint.yml | 8 +++---- .github/workflows/merge-conflict-check.yml | 2 +- .github/workflows/security.yml | 4 ++-- .github/workflows/test.yml | 26 +++++++++++----------- 13 files changed, 49 insertions(+), 49 deletions(-) diff --git a/.github/workflows/browserslist-db.yml b/.github/workflows/browserslist-db.yml index 6e0fab56a53..952a105fa15 100644 --- a/.github/workflows/browserslist-db.yml +++ b/.github/workflows/browserslist-db.yml @@ -21,7 +21,7 @@ jobs: git config --global user.name "${{ github.actor }}" - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 209cec62d41..5328fb5986d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,13 +26,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index c0d604083fa..c0935efefaa 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -32,7 +32,7 @@ concurrency: jobs: actionlint: name: 'Lint GH Action workflows' - uses: Yoast/.github/.github/workflows/reusable-actionlint.yml@main + uses: Yoast/.github/.github/workflows/reusable-actionlint.yml@c14f66005ab514663a48d00712db67617c98728c # v1.0.0 checkcs: name: 'Check code style' @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Determine the base branch for the file diff id: base_branch @@ -59,7 +59,7 @@ jobs: run: git fetch --no-tags --depth=1 origin ${{ steps.base_branch.outputs.NAME }} - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 'latest' coverage: none @@ -75,7 +75,7 @@ jobs: # Install dependencies and handle caching in one go. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c6ed0a5d65f..d8cd4393a73 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -56,10 +56,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -69,7 +69,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -90,7 +90,7 @@ jobs: # and available across runs of the same workflow. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies and run the prefixing script - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -126,7 +126,7 @@ jobs: # Retention is normally 90 days, but this artifact is only for review # and use in the next step, so no need to keep it for more than a day. - name: Upload the artifact folder - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: ${{ success() }} with: name: deploy-artifact @@ -169,7 +169,7 @@ jobs: fi - name: Checkout Yoast Dist repo - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: ${{ env.DIST_ORG }}/${{ github.event.repository.name }} ref: ${{ env.DIST_DEFAULT_BRANCH }} @@ -198,7 +198,7 @@ jobs: # The artifact will be unpacked into the root directory of the repository. - name: Download and unpack the prepared artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: deploy-artifact diff --git a/.github/workflows/deprecation-check.yml b/.github/workflows/deprecation-check.yml index c923af4b8a1..92061b985a0 100644 --- a/.github/workflows/deprecation-check.yml +++ b/.github/workflows/deprecation-check.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Place a comment on the PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 diff --git a/.github/workflows/finish-coveralls.yml b/.github/workflows/finish-coveralls.yml index 3adbdd41428..af311cbd32e 100644 --- a/.github/workflows/finish-coveralls.yml +++ b/.github/workflows/finish-coveralls.yml @@ -84,7 +84,7 @@ jobs: # NOTE: The ref value should be different when triggered by pull_request event. # See: https://github.com/lewagon/wait-on-check-action/issues/25. - name: "Wait on tests (PR)" - uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # lewagon/wait-on-check-action@v1.4.1 + uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1 if: github.event_name == 'pull_request' with: ref: ${{ github.event.pull_request.head.sha }} @@ -93,14 +93,14 @@ jobs: - name: "Wait on tests (push)" if: github.event_name != 'pull_request' - uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # lewagon/wait-on-check-action@v1.4.1 + uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1 with: ref: ${{ github.sha }} repo-token: ${{ secrets.GITHUB_TOKEN }} check-regexp: Test|TestJS - name: "Coveralls Finished" - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: diff --git a/.github/workflows/generate_csv.yml b/.github/workflows/generate_csv.yml index 6475928b5b8..bd79047b706 100644 --- a/.github/workflows/generate_csv.yml +++ b/.github/workflows/generate_csv.yml @@ -9,7 +9,7 @@ jobs: steps: # Check out the repository - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Install dependencies - name: Install dependencies diff --git a/.github/workflows/jslint.yml b/.github/workflows/jslint.yml index d71547733c0..a3e3f440f28 100644 --- a/.github/workflows/jslint.yml +++ b/.github/workflows/jslint.yml @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md @@ -65,7 +65,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' diff --git a/.github/workflows/jstest.yml b/.github/workflows/jstest.yml index fced52cffe0..7fef7b1e50b 100644 --- a/.github/workflows/jstest.yml +++ b/.github/workflows/jstest.yml @@ -77,7 +77,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The ubuntu images come with Node, npm and yarn pre-installed. # https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md @@ -85,7 +85,7 @@ jobs: # This action also handles the caching of the Yarn dependencies. # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -117,7 +117,7 @@ jobs: working-directory: packages/${{ matrix.package }} - name: Upload coverage results to Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -146,7 +146,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Checks for changes uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # dorny/paths-filter@v3.0.2 @@ -165,7 +165,7 @@ jobs: # Check out the premium config repo ahead of running the tests to prevent issues with permissions. - name: Checkout premium configuration if: ${{ steps.checks-run.outputs.should == 'true' && matrix.needs_premium_config == true }} - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: Yoast/YoastSEO.js-premium-configuration path: packages/yoastseo/premium-configuration @@ -179,7 +179,7 @@ jobs: # https://github.com/actions/setup-node - name: Set up node and enable caching of dependencies if: ${{ steps.checks-run.outputs.should == 'true' }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version-file: './.nvmrc' cache: 'yarn' @@ -218,7 +218,7 @@ jobs: - name: Upload coverage results to Coveralls if: ${{ steps.checks-run.outputs.should == 'true' }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1458365a0e2..23937b2c73d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -43,14 +43,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # For the purpose of linting the code, we need the `vendor-prefixed` directory to # be created as the prefixed code should be linted to ensure there are no parse errors # in the generated code against any of the supported PHP versions. # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -58,7 +58,7 @@ jobs: fail-fast: true - name: Install Composer dependencies and generate vendor_prefixed directory - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -69,7 +69,7 @@ jobs: run: composer remove --dev --no-scripts humbug/php-scoper - name: Install PHP for the actual linting - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml index f7c913a6978..d71b6f55602 100644 --- a/.github/workflows/merge-conflict-check.yml +++ b/.github/workflows/merge-conflict-check.yml @@ -21,4 +21,4 @@ jobs: if: github.repository_owner == 'Yoast' name: Check PRs for merge conflicts - uses: Yoast/.github/.github/workflows/reusable-merge-conflict-check.yml@main + uses: Yoast/.github/.github/workflows/reusable-merge-conflict-check.yml@c14f66005ab514663a48d00712db67617c98728c # v1.0.0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f0899ab2c5b..0562be2112b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,9 +26,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # This action checks the `composer.lock` file against known security vulnerabilities in the dependencies. # https://github.com/marketplace/actions/the-php-security-checker - name: Run Security Check - uses: symfonycorp/security-checker-action@v5 + uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5 # v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6fecb8397c1..d2f2bc54431 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -61,11 +61,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -73,7 +73,7 @@ jobs: fail-fast: true - name: Install Composer dependencies, generate vendor_prefixed directory and run dependency injection - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -87,7 +87,7 @@ jobs: run: rm -rf vendor/* - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On @@ -106,7 +106,7 @@ jobs: # for the PHP version on which the tests will be run. # @link https://github.com/marketplace/actions/install-php-dependencies-with-composer - name: Install Composer dependencies - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Force a `composer update` run. dependency-versions: "highest" @@ -125,7 +125,7 @@ jobs: - name: Upload coverage results to Coveralls if: ${{ success() && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -196,11 +196,11 @@ jobs: run: sudo apt-get install -y subversion - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # The prefix-dependencies task makes use of reflection-based PHP code that only works on PHP > 7.2. - name: Install PHP 7.x for generating the vendor_prefixed directory and dependency injection - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: 7.4 coverage: none @@ -208,7 +208,7 @@ jobs: fail-fast: true - name: Install Composer dependencies, generate vendor_prefixed directory and run dependency injection - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Bust the cache at least once a week - output format: YYYY-MM-DD. custom-cache-suffix: $(/bin/date -u --date='last Mon' "+%F") @@ -222,7 +222,7 @@ jobs: run: rm -rf vendor/* - name: Install PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 with: php-version: ${{ matrix.php_version }} ini-values: zend.assertions=1, assert.exception=1, error_reporting=-1, display_errors=On, display_startup_errors=On @@ -237,7 +237,7 @@ jobs: run: composer config --unset platform.php - name: "Install Composer dependencies" - uses: ramsey/composer-install@v3 + uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # 3.1.1 with: # Force a `composer update` run. dependency-versions: "highest" @@ -272,7 +272,7 @@ jobs: - name: Upload coverage results to Coveralls - single site if: ${{ success() && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: @@ -283,7 +283,7 @@ jobs: - name: Upload coverage results to Coveralls - multisite if: ${{ success() && matrix.multisite == true && matrix.coverage == true }} - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 env: COVERALLS_SERVICE_NUMBER: ${{ github.sha }} # Connect all builds together. with: From 37b35ca60f17be8c006b89fb0175442f2ef606dc Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 3 Jan 2026 03:52:45 +0100 Subject: [PATCH 2/2] Dependabot: update config :point_right: Important: this is for **version** updates only, not for security updates, which are handled separately and don't depend on this configuration. --- This commit makes the following changes to the Dependabot config to reduce the number of Dependabot PRs, while still keeping the workflows up to date with a reasonable frequency: * It introduces a "group". By default Dependabot raises individual PRs for each update. Now, it will group updates to new minor or patch release for all action runners into a single PR. Updates to new major releases of action runners will still be raised as individual PRs. * It changes the schedule from `weekly` (on Monday, at whatever time this repo reaches the front of the HUGE queue which it will always have on Monday) to twice a month at a specific time which is not midnight. Aside from making the PRs less frequent, it should also make the arrival time more predictable as the queue created at 22:10 (in whatever timezone Dependabot runs in) will be next to nothing as it would need more repos to use this exact configuration. Refs: * https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates * https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference --- .github/dependabot.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 50e0ff7ad27..d3ab6161210 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,10 +9,17 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "cron" + cronjob: "15 22 5,20 * *" # At 22:15, every 5th and 20th day of the month. open-pull-requests-limit: 5 commit-message: prefix: "GH Actions:" labels: - "changelog: non-user-facing" - "yoast cs/qa" + groups: + action-runners: + applies-to: version-updates + update-types: + - "minor" + - "patch"