Running Dependabot as a GitHub Action workflow and Renovate?

[HonkingGoose]

Tell us more.

Quote from the GitHub Blog:

Starting today, administrators using Github.com accounts can enable their repositories and/or organizations to run Dependabot updates jobs as a GitHub Actions workflow using both hosted and self-hosted runners. Running Dependabot does not count towards GitHub Actions minutes–meaning that using Dependabot continues to be free for everyone.

Do we (as maintainers) need to do anything to support Dependabot vulnerability alerts? I think we need Dependabot vulnerability alerts for our vulnerabilityAlerts config option at least. I guess more Renovate things rely on getting the correct info from Dependabot?

Sources:

• GitHub Blog, Dependabot on GitHub Actions and self-hosted runners is now generally available
• GitHub Docs, About Dependabot on GitHub Actions runners

[rarkins]

Dependabot alerts are calculated by GitHub independently of Dependabot itself, in a backend unrelated to GitHub Actions, so not related to this change.