mirror of
https://github.com/neovim/neovim.git
synced 2026-03-28 03:12:00 +00:00
d1314018cc
This improves CI security by ensuring that action dependencies cannot be changed by upstream repositories without updating the use of the dependency in this repo. Official GitHub-maintained actions are excluded from this requirement and are left pinned by a tag instead of a commit hash. This action dependency pinning policy is codified in `.github/zizmor.yml` so that Zizmor (a static analysis tool for GitHub Actions) doesn't flag these as unpinned dependencies. Also add cooldown timer for Dependabot. This fixes these two Zizmor audits: * https://docs.zizmor.sh/audits/#dependabot-cooldown * https://docs.zizmor.sh/audits/#unpinned-uses
11 lines
192 B
YAML
11 lines
192 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: "github-actions"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "daily"
|
|
commit-message:
|
|
prefix: "ci"
|
|
cooldown:
|
|
default-days: 7
|