Explore dependabot to keep our (pinned) actions up to date

[lwasser]

          > We, I think, have Depdendabot set up in the org, I think, but I didn't configure it. This is a basic question but would it help update things like this version? IE could we use it in this repo?

Oh, I notice that here are a few moving parts, here. As this file is not a workflow of its own but a template that will be generated and moved into .github/workflows/, I am not sure if Dependabot will be able to operate on the template file as well, in addition to the workflow file. It does have a directory: setting, which I think we should try out: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory--

That means that we have two possible scenarios:

• the GitHub Actions dependencies in this file get outdated and are not kept up to date: assuming we also ship a Dependabot configuration file with our template that will be copied (and we instruct users on how to use Dependabot), the generated workflow file will receive updates. This should be good for users, as they receive updates. However, we, as the ones shipping the template, would need to find a method to "mirror" the updates from our workflow file to the template file.
• the GitHub Actions dependencies in this file are also updated in addition to our own workflows (that would be great!)

The first one is surely not ideal, so we should explore if Dependabot will choose to be the star here or not 😉

My gut tells me we won't have the bandwidth to perform weekly updates here unless someone wants to take that one! But perhaps monthly or quarterly would work. I am not sure what is best, however and would love suggestions.

I agree with you. Monthly updates would be nicer – and users can always bump it to daily, or weekly, and so on, based on their bandwidth.

also if you were interested in helping us maintain here, that would be awesome (only if you have bandwidth!)

I'd love to! I've also helped out with the development and maintenance of especially other copier templates, such as https://github.com/pybamm-team/pybamm-cookie – where my experience should be transferable enough for me to help out. I do have limited bandwidth, however and can't say I can work full-time on this, but I would be open to lend a hand with more reviews and occasional updates anytime :D

Originally posted by @agriyakhetarpal in #73 (comment)

[agriyakhetarpal]

Thank you for merging #73 and for following up with this issue, @lwasser! I can take it up. Could you please assign me to it? For some reason, I can't do so even after joining the team (thanks for the invite, BTW!).

[agriyakhetarpal]

Actually, I'm able to – I just needed to reload the page (😅), and the permissions are now showing up! 😎

[lwasser]

Great - thanks!!