Using Dependabot with new Composite Actions

I tried to create a new Composite Action with the new uses. My goal is to make use of dependabot to update the actions I’m referencing in my action.yaml. It seems like using package-ecosystem: "github-actions" does not achieve that as I get the following error:

Dependabot couldn’t find a .yml.

Dependabot requires a .yml to evaluate your Github_actions dependencies. It had expected to find one at the path: /.github/workflows/<anything>.yml .

If this isn’t a Github_actions project, you may wish to disable updates for it in the .github/dependabot.yaml config file in this repo.

My current repo structure looks like this:

 ⌙ dependabot.yaml

my dependabot.yaml

version: 2
  - package-ecosystem: "github-actions"
    directory: "/"
      interval: "weekly"

Is there a way to achieve the effect i’m looking for?


Having the same issue when trying to let Dependabot update github-actions used within composites.

1 Like