PSA: Use Dependabot to update GitHub actions automatically

GitHub offers Dependabot to update GitHub actions automatically. I found this quite useful for my own packages. The SciML organization and the Trixi.jl framework have already enabled it in many repositories, the remaining ones will be processed soon. You basically need to create a file .github/dependabot.yml with the following content:

# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"

See enable dependabot for GitHub actions by ranocha · Pull Request #37 · SciML/MuladdMacro.jl · GitHub for an example.

Hope this is useful for some of you!

To be more specific, you can see Dependabot as an anlog of CompatHelper for GitHub actions dependencies such as actions/checkout@v2. Based on semver, you will not use actions/checkout@v2 with this setup. Dependabot will create a PR updating such a line to actions/checkout@v3. This will fix deprecation warnings such as

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16:
actions/checkout@v2, actions/cache@v2, codecov/codecov-action@v2. 
For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.

That’s handled by updating the GitHub actions mentioned there to there new major version - which dependabot will do for you by submitting PRs. See also enable dependabot for GitHub actions by ranocha · Pull Request #42 · JuliaArrays/TiledIteration.jl · GitHub

Unfortunately, we can’t currently depend on Dependabot to upgrade workflows like CompatHelper. I realized I need to go back to some repos and manually update it.