From 9fdc83031a22d66ad23dab8865bc0d9331ee6189 Mon Sep 17 00:00:00 2001
From: Andrew Brown <andrew.brown@intel.com>
Date: Fri, 9 Feb 2024 18:28:05 -0800
Subject: [PATCH] ci: reduce the steady stream of dependabot PRs (#138)

PR #107 introduced dependabot to the repository to update GitHub
Actions. This results in a weekly stream of PRs to incorporate every
tiny patch update for every GitHub Action we use here. This results in a
lot of churn and I do not have any sense that it improves the code
quality in any way. Instead, it may in fact be the cause of the breakage
in the release workflow, since that relies on `upload-artifact` which
dependabot bumped from v3.1.3 to v4.0.0.

What this change does is follow GitHub's [guidance] to only receive
security updates. Since "dependabot security updates" are enabled, we
don't need to follow each action update; setting
`open-pull-requests-limit` to 0 mutes the dependabot PRs but we should
still see any security alerts in the security tab.

[guidance]: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ca79ca5..add39d3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,5 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    # Disable the steady stream of version updates for actions; only notify about security updates.
+    open-pull-requests-limit: 0