Layer 4 — Keep SHAs Fresh with Dependabot
SHA pinning (Layer 1) is only useful if the SHAs stay current. Dependabot updates them while respecting a cooldown period, which gives the community time to spot compromised releases before you adopt them.
Per-repo configuration
Section titled “Per-repo configuration”.github/dependabot.yml:
version: 2updates: - package-ecosystem: github-actions directory: / schedule: interval: weekly day: monday cooldown: default-days: 7 # wait 7 days after release before opening a PR semver-major-days: 14 open-pull-requests-limit: 10 groups: actions-minor-patch: update-types: ["minor", "patch"] commit-message: prefix: "chore(deps)" include: "scope"Rollout strategy
Section titled “Rollout strategy”Pick the option that matches how much central control you want:
- Option A — Template (lightweight). Add
dependabot.ymlto a template repo and document it in onboarding. No enforcement. - Option B — Push ruleset (recommended). Create a push ruleset that rejects pushes
deleting
.github/dependabot.yml. Bootstrap each repo once (script below), then the ruleset prevents drift. - Option C — Centralized auto-PR. Run a scheduled job in your central repo that
iterates all repos via the API and opens a PR adding
dependabot.ymlwhere missing.
Bootstrap script
Section titled “Bootstrap script”Open PRs adding dependabot.yml to every repo that lacks one:
#!/usr/bin/env bashORG="your-org"
DEPENDABOT_FILE="$(cat <<'YAML'version: 2updates: - package-ecosystem: github-actions directory: / schedule: interval: weekly cooldown: default-days: 7YAML)"
gh repo list "$ORG" --limit 1000 --json name --jq '.[].name' \| while read -r REPO; do if ! gh api "/repos/$ORG/$REPO/contents/.github/dependabot.yml" >/dev/null 2>&1; then echo "Adding dependabot.yml to $ORG/$REPO" gh api --method PUT \ "/repos/$ORG/$REPO/contents/.github/dependabot.yml" \ -f message="chore: add Dependabot config for GitHub Actions" \ -f content="$(printf '%s' "$DEPENDABOT_FILE" | base64)" \ -f branch="chore/add-dependabot" || true gh pr create --repo "$ORG/$REPO" \ --title "chore: add Dependabot config" \ --body "Automated rollout of Dependabot for GitHub Actions updates." \ --head "chore/add-dependabot" --base main || true fi doneOnce Dependabot is rolling, weekly PRs appear in each repo as new SHAs pass their cooldown. Merge them like any other dependency update.