Let Dependabot manage GitHub Actions versions

[timothyjward]

GitHub actions are versioned and can be deprecated/disabled over time. Letting dependabot manage their updates simplifies keeping things running smoothly.

This relates to (but does not fix) issue #430

[pzygielo]

Upload action is already updated here

dash-licenses/.github/workflows/mavenLicenseCheck.yml

Line 192 in e834607

- uses: actions/upload-artifact@v4

But https://github.com/eclipse-osgi-technology/.github/blob/0cc70ab5fd07d1a61a34fcc88fb17c3993f6e14f/.github/workflows/reuse_all_check_eclipse_ip.yml#L13 is pointing to the exact version which will never change and will never use newer upload action.

[timothyjward]

But https://github.com/eclipse-osgi-technology/.github/blob/0cc70ab5fd07d1a61a34fcc88fb17c3993f6e14f/.github/workflows/reuse_all_check_eclipse_ip.yml#L13 is pointing to the exact version which will never change and will never use newer upload action.

The project is attempting to follow security best practice, which is not to point at a "moving target" like @v4 or @main but instead to use the commit id for the latest release tag and then put the tag in the comment. This is why the line reads

eclipse-dash/dash-licenses/.github/workflows/mavenLicenseCheck.yml@90ebdf14dff066293b65b9d3ca99c8fb90d5222b # 1.1.0

Dependabot actually understands this mechanism and will still update the dependencies (and comments) for you, as it did for us in https://github.com/eclipse-osgi-technology/.github/pull/18/files

Upload action is already updated here

It's great that this is already fixed. Is there a release tag we can use which has this fix?

[mbarbero]

FYI, @eclipse-dash/eclipsefdn-security team has a tool to pin all GitHub actions https://github.com/eclipse-csi/octopin

[HannesWell]

FYI, @eclipse-dash/eclipsefdn-security team has a tool to pin all GitHub actions https://github.com/eclipse-csi/octopin

I just pinned the versions that were not yet pinned via #432.

[HannesWell]

Looks good. Thank you.