From 6798c825674f6b8df36f3e8a69e662c4bbd7d24b Mon Sep 17 00:00:00 2001 From: shionit Date: Sun, 10 May 2026 17:35:22 +0700 Subject: [PATCH 1/2] chore: remove dependabot in favour of Renovate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both Dependabot and Renovate were updating Docker and GitHub Actions dependencies, producing duplicate PRs. Renovate provides the same coverage with better grouping, SHA pinning, and automerge control, so Dependabot is removed. The dependency-review and scorecards workflows are unaffected — they scan for vulnerabilities and score supply-chain posture independently of which updater is in use. --- .github/dependabot.yml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index c3ee2cd..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,11 +0,0 @@ -version: 2 -updates: - - package-ecosystem: docker - directory: /.devcontainer - schedule: - interval: daily - - - package-ecosystem: github-actions - directory: / - schedule: - interval: daily From d6b7abcb58e1c1c7ce40f6bb01dd5ca19232b3a3 Mon Sep 17 00:00:00 2001 From: shionit Date: Sun, 10 May 2026 17:37:36 +0700 Subject: [PATCH 2/2] chore: pin actions/checkout to v6.0.2 across all workflows Aligns the three workflows to the same actions/checkout SHA (de0fac2e4500dabe0009e67214ff5f5447ce83dd) so Renovate can update them as a single grouped PR going forward. --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/devcontainer-ci.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bec966a..28f8635 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Dependency Review' uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/devcontainer-ci.yml b/.github/workflows/devcontainer-ci.yml index d4f5d15..76c14b3 100644 --- a/.github/workflows/devcontainer-ci.yml +++ b/.github/workflows/devcontainer-ci.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Build the Dockerfile directly with docker build. # Using --no-cache ensures the base image tag is actually pulled from the diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 5c31a06..0a8824e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false