Create decision record for Using Dependabot to update GHA #3598
Description
Overview
We need a decision record for Using Dependabot to update GHA so that we are clear about what we need to do and it's easy for people to find the history behind the issue.
Details
A lot of our Github Actions are not the latest version. We want to be notified when our GHA dependencies are out of date. The issue below was created before the GH Dependabot was updated to include alerts for GitHub actions, as mentioned in the blog listed in the resources. So now that it is available from GH, we want to utilize the GH Dependabot. We want to make a decision record to clarify why we made this decision.
We have enabled the GH Dependabot to issue alerts for vulnerabilities and security issues here (also listed below). But we need to configure a dependabot.yml file to have dependabot create pull requests.
Action Items
- create a page in the wiki
- copy the template text on to that page
- link it to the page with the adopted decision record
- fill in the issue template prompts
- get a peer review
- create the new issue to follow through with the decision
Resources/Instructions
- https://github.blog/2022-08-09-dependabot-now-alerts-for-vulnerable-github-actions/#dependabot-alerts-for-github-actions
- https://github.com/hackforla/website/settings/security_analysis
- https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates
- https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
- Update dependencies action 2065 #3414 this is the PR that started the investigation into if we could use the dependabot instead of a github action to accomplish the same task.
- https://github.com/hackforla/website/wiki/Decision-Records