mirror of
https://github.com/microsoft/agent-framework.git
synced 2026-06-16 21:04:09 +08:00
01a3c5be8a
Replaces every floating tag in our workflow and composite action files with an immutable 40-character commit SHA, keeping the original `# vX` comment so Dependabot can still propose version bumps. 186 occurrences across 25 workflows and 2 composite actions. Also widens the github-actions Dependabot entry to use the plural `directories` key with `/.github/actions/*` so composite actions under `.github/actions/<name>/action.yml` are kept up to date. Previously Dependabot only scanned `.github/workflows` and the repo-root `action.yml`, leaving our `python-setup` and `sample-validation-setup` composite actions unmaintained.
59 lines
2.1 KiB
YAML
59 lines
2.1 KiB
YAML
# To get started with Dependabot version updates, you'll need to specify which
|
|
# package ecosystems to update and where the package manifests are located.
|
|
# Please see the documentation for all configuration options:
|
|
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
|
|
|
|
version: 2
|
|
updates:
|
|
# Maintain dependencies for nuget
|
|
- package-ecosystem: "nuget"
|
|
directory: "dotnet/"
|
|
schedule:
|
|
interval: "cron"
|
|
cronjob: "0 8 * * 4,0" # Every Thursday(4) and Sunday(0) at 8:00 UTC
|
|
ignore:
|
|
# For all System.* and Microsoft.Extensions/Bcl.* packages, ignore all major version updates
|
|
- dependency-name: "System.*"
|
|
update-types: ["version-update:semver-major"]
|
|
- dependency-name: "Microsoft.Extensions.*"
|
|
update-types: ["version-update:semver-major"]
|
|
- dependency-name: "Microsoft.Bcl.*"
|
|
update-types: ["version-update:semver-major"]
|
|
- dependency-name: "Moq"
|
|
labels:
|
|
- ".NET"
|
|
- "dependencies"
|
|
|
|
# Maintain dependencies for python
|
|
- package-ecosystem: "pip"
|
|
directory: "python/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "monday"
|
|
labels:
|
|
- "python"
|
|
- "dependencies"
|
|
- package-ecosystem: "uv"
|
|
directory: "python/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "monday"
|
|
labels:
|
|
- "python"
|
|
- "dependencies"
|
|
|
|
# Maintain dependencies for github-actions
|
|
- package-ecosystem: "github-actions"
|
|
# Cover both the standard workflow location and our composite actions.
|
|
# With `directory: "/"` Dependabot only scans `.github/workflows/*.{yml,yaml}`
|
|
# plus a root-level `action.yml/action.yaml`. It does NOT recurse into
|
|
# `.github/actions/*/action.yml`, so the glob below is required to keep the
|
|
# composite actions in `.github/actions/<name>/` up to date as well.
|
|
# Ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory--
|
|
directories:
|
|
- "/"
|
|
- "/.github/actions/*"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "sunday"
|