Skip to content

chore: enable Dependabot weekly GitHub Actions bumps#2

Merged
nicolas-rabault merged 1 commit into
mainfrom
chore/add-dependabot-github-actions
Jun 8, 2026
Merged

chore: enable Dependabot weekly GitHub Actions bumps#2
nicolas-rabault merged 1 commit into
mainfrom
chore/add-dependabot-github-actions

Conversation

@hf-dependantbot-rollout

Copy link
Copy Markdown
Contributor

Summary

Adds .github/dependabot.yml so this repo's pinned GitHub Action SHAs
get bumped automatically once a week.

All action updates are grouped into one weekly PR (not one PR per
action) to keep the noise down, and Dependabot waits 7 days after a
release before opening the bump
(cooldown). The 7-day cooldown is
aligned with the org's pinact min_age: 7 policy — so by the time
the Dependabot PR lands, the SHA is already old enough for the security
gate to accept it. The bot opens the PR; the org-wide security gate
(pinact + denylist + deny-packages + osv-scan) runs on it; a human
merges.

Why

GitHub Action SHAs that were safe when pinned can drift out of date —
missing security patches, bug fixes, or new features. Dependabot keeps
them current. Combined with the org-wide validation workflow (which
blocks compromised SHAs from landing), the bumps are safe by
construction.

Closes huggingface/tracking-issues#771

@nicolas-rabault nicolas-rabault force-pushed the chore/add-dependabot-github-actions branch from 07937c7 to 49280a4 Compare June 8, 2026 11:33
@nicolas-rabault nicolas-rabault merged commit a4e8b93 into main Jun 8, 2026
5 checks passed
@nicolas-rabault nicolas-rabault deleted the chore/add-dependabot-github-actions branch June 8, 2026 12:10
MichaelMintIcecream added a commit to Nori-Robotics/Nori-Lab that referenced this pull request Jul 15, 2026
Adds a 'Publish a dataset to the community' card on the marketplace page: pick one
of your promoted uploads, title + description, consent, publish. Wraps the
existing backend route (POST /nori/marketplace/datasets/{session_id}/publish,
auto-publishes after re-homing + the format gate). Handles 403 (inline
publish_public consent grant + retry) and 409 (already listed). New client fn
publishDataset. Verified end-to-end against the deployed backend.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant