🐙 GitHub Actions
GitHub Actions is a continuous integration platform inside GitHub. It's cheap, very flexible and, best of all, part of GitHub.
- GitHub repository contains workflows.
- Workflows contain jobs.
- Jobs contain steps e.g. running certain programs.
Workflows are triggered by events. These can be changes in the repository, scheduled or manually triggered.
You can filter these e.g. modifying certain files, has tags, branch name etc.
At the start of a job, GitHub creates a unique
secrets.GITHUB_TOKEN for it.
You can use
permissions to modify the default permissions granted to the job.
- These can be defined either on the workflow level or the job level.
- The default permissions come from the repository settings.
- If the job needs permission not readily available in the GitHub Actions platform, you can use personal access tokens.
- Jobs triggered by fork repositories receive the maximum of read permission to the origin repository for security reasons.
Dependabot is an automation tool in GitHub.
- If security alerts are enabled, notifies if your dependencies are insecure.
- If automatic updates are enabled, creates pull requests for the upgrades.
Dependabot works like GitHub Actions but has limited permissions:
- Dependabot has its own secrets, not the normal GitHub Action secrets
- Dependabot workflows have read-only permissions in the
- this holds true even if rerun by some other actor than Dependabot
Enable the Dependabot Alerts. For the repository, personal account and organization. Found under security settings.
Consider enabling Dependabot security and version updates. Your mileage may vary depending on the ecosystem and project. If not enabled, you will have to resolve security alerts and periodic upgrades manually or through some other form of automation.