ci: also auto-update GitHub Actions via Dependabot

[d-morrison]

Summary

Follow-up to the merged Dependabot submodule PR (#117). Adds a second Dependabot ecosystem, github-actions, so pinned action versions in .github/workflows/ (e.g. actions/checkout, r-lib/actions/*, quarto-dev/quarto-actions/*) get bumped automatically too — including resolving the mixed actions/checkout@v4/@v5 pins a reviewer noted.

Because this is a template, the config propagates to books generated from it.

Config

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule: { interval: "weekly" }
    commit-message: { prefix: "chore(actions)" }

Weekly cadence; unversioned @HEAD/@main pins are left untouched by Dependabot.

🤖 Generated with Claude Code

https://claude.ai/code/session_01DrceBhXtcKRFaPPEMwxAZN

---

Generated by Claude Code

[claude]

Claude finished @d-morrison's task in 1m 33s —— View job

---

Code Review

• Gather context (diff, workflow files, existing config)
• Review .github/dependabot.yml change
• Check for config correctness and template impact
• Post findings

---

Config is correct and well-formed. The github-actions ecosystem entry mirrors the existing gitsubmodule entry in structure, uses the right directory: "/" (Dependabot resolves .github/workflows/ from the root automatically), and the weekly cadence + commit-message prefix are consistent with the project's conventions.

Pre-existing issue this PR will partially resolve: publish.yml uses actions/checkout@v5 while the other five workflow files use @v4. Dependabot will open bump PRs to align all of them once the newer version stabilizes across the board.

Pre-existing issue Dependabot won't resolve: quarto-dev/quarto-actions/setup is pinned at @HEAD in one workflow and @v2 in another. The new comment on line 20 correctly notes that unversioned pins are left untouched — but worth manually standardizing that pair to @v2 in a follow-up.

One optional improvement posted as an inline suggestion (line 26): add a groups key so all action bumps are batched into a single weekly PR. Without it, the initial Dependabot sweep could hit the default 5-PR limit before opening bumps for all 8+ pinned actions.

Otherwise the PR is clean — nothing blocking.

[Copilot]

Pull request overview

This PR extends the template’s Dependabot configuration to also track GitHub Actions updates, so downstream books generated from the template can keep workflow action pins current automatically.

Changes:

• Adds a github-actions Dependabot ecosystem entry (weekly) to update pinned action versions in .github/workflows/.
• Customizes commit message prefixes for action bumps (chore(actions)) alongside existing submodule bumps (chore(submodule)).

[claude]

Consider adding a groups key to bundle all action bumps into a single weekly PR rather than one per action. With ~8 pinned actions in .github/workflows/, the initial Dependabot run could open 5+ PRs simultaneously (default open-pull-requests-limit is 5). Grouping keeps the noise down:

Suggested change

	prefix: "chore(actions)"
	commit-message:
	prefix: "chore(actions)"
	groups:
	github-actions:
	patterns:
	- "*"

Not a blocker — just a quality-of-life suggestion.

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-06-20 01:00 PDT