miller/.github/dependabot.yml
John Kerl aa831d0b89 Group codeql-action Dependabot bumps to keep init/autobuild/analyze in sync
The workflow pins all three codeql-action steps to the same commit SHA, but
Dependabot was opening separate PRs per action path, so merging just one
broke CI with a CodeQL config-version mismatch.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-09 15:11:46 -04:00

25 lines
887 B
YAML

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
groups:
# The codeql-analysis.yml workflow pins init/autobuild/analyze to the
# same commit SHA, so they must be bumped together or CI breaks with a
# CodeQL config-version mismatch.
codeql-action:
patterns:
- "github/codeql-action/*"
# Maintain dependencies for Go
- package-ecosystem: "gomod"
directory: /
schedule:
interval: "daily"