ci: Automatically update GitHub Actions

[DimitriPapadopoulos]

Configuration options for the dependabot.yml file

[coveralls]

coverage: 99.815%. remained the same
when pulling add3ecf on DimitriPapadopoulos:actions
into 866f805 on adrienverge:master.

[DimitriPapadopoulos]

The linter issue seems unrelated. Perhaps an internal CI bug?

[adrienverge]

I try to keep this repo minimal for easier maintenance, and easier onboarding for new contributors. I'm not sure this change has a big benefit, given that yamllint only has 2 dependencies (PyYAML and pathspec). What do you think?

(I apologize if I misunderstood the purpose of this pull request, if this is the case could you explain the goal of it in the commit message?)

[DimitriPapadopoulos]

It just updates GitHub actions, not Python dependencies. Like #493, but it automates the creation of the merge request.

[andrewimeson]

None of the strings in this YAML document need to be quoted 🙂

[DimitriPapadopoulos]

I know, but they are always quoted in the reference documentation Configuration options for the dependabot.yml file, as well as other occurrences of .github/dependabot.yml.

I choose to stick to what is done elsewhere, rather than minimising the YAML file contents.

[adrienverge]

I don't see this PR-opening automation as something very useful nor as a time-saver. So unless I miss a big benefit (in which case it should go in the commit message), I'd prefer staying without it and keep the codebase minimal. What do you think?

(By the way I try to stay alert about security updates for PyYAML and Pathspec!)

[DimitriPapadopoulos]

Automation in this case should not be seen as a timer-saver, but as a reminder. You will be notified (by an automated pull request) when new versions of GitHub Actions are available.

[DimitriPapadopoulos]

Keeping your actions up to date with Dependabot

[adrienverge]

I took time to read the documentation (especially the one you just posted https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot), and frankly I don't see the need for such a change (for the above reasons). If you're OK I'd rather keep the codebase minimal and straightforward to dive into.

[DimitriPapadopoulos]

I see many projects hosted in GitHub use Dependabot to automatically notify of updates of dependencies. I guess they are happy with the functionality. The downside might be how complex the CI environment itself is getting – sometimes more intricate than the code itself. However, Dependabot itself is pretty simple. I would recommend adding Dependabot, but certainly can understand that you would like to avoid it in a project with few dependencies.

[DimitriPapadopoulos]

For what it's worth, this PR would tick a box in the issues reported by the Repo-Review of Scientific Python:

• GH200: Maintained by Dependabot
  All projects should have a .github/dependabot.yml file to support at least GitHub Actions regular updates. Something like this:

  version: 2
  updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

[adrienverge]

OK, I note that Scientific Python encourages this.

In my opinion there is no urge to keep GitHub Action files always up-to-date, and I prefer keeping this repo as simple as possible.