From 11e5b262cc708577ad6e05670a13ddf6bc5249ac Mon Sep 17 00:00:00 2001 From: Robert Stupp Date: Thu, 19 Feb 2026 10:00:09 +0100 Subject: [PATCH 1/3] GH actions policy, relax strong Dependabot wording The wording in the "GitHub actions policy" mandates the use of Dependabot, but other tools like Renovate do the same thing satisfying the "Git commit SHA" requirement. Would be nice to not "exclude" other solutions. --- content/pages/github-actions-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/pages/github-actions-policy.md b/content/pages/github-actions-policy.md index 4fa8758f7..7a01f7f32 100644 --- a/content/pages/github-actions-policy.md +++ b/content/pages/github-actions-policy.md @@ -8,7 +8,7 @@ For details on the use of requirement level terms, see the GitHub Actions Security. ### Dependabot -All repositories using GitHub Actions **must** have Dependabot enabled. +All repositories using GitHub Actions **must** have dependency management in place, for example Dependabot or Renovate. ### Resource use Due to misconfigurations in their builds, some projects have been using unsupportable numbers of [GitHub Actions](github-actions-secrets.html). As part of fixing this situation, Infra has established a policy for GitHub Actions use: From faa41e21bbc6d52ee7733fa8aa3283543dac41e0 Mon Sep 17 00:00:00 2001 From: Robert Stupp Date: Tue, 24 Feb 2026 16:17:26 +0100 Subject: [PATCH 2/3] update wording --- content/pages/github-actions-policy.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/pages/github-actions-policy.md b/content/pages/github-actions-policy.md index 7a01f7f32..1fb287408 100644 --- a/content/pages/github-actions-policy.md +++ b/content/pages/github-actions-policy.md @@ -8,8 +8,10 @@ For details on the use of requirement level terms, see the GitHub Actions Security. ### Dependabot -All repositories using GitHub Actions **must** have dependency management in place, for example Dependabot or Renovate. - +All repositories using GitHub Actions **must** have automatic dependency management in place using one of these tools: +* [GitHub Dependabot](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide) for the [`github-actions` ecosystem](https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#github-actions) +* [Forking Renovate](https://docs.renovatebot.com/getting-started/running/#forking-renovate-app) using the [GitHub actions manager](https://docs.renovatebot.com/modules/manager/github-actions/) + ### Resource use Due to misconfigurations in their builds, some projects have been using unsupportable numbers of [GitHub Actions](github-actions-secrets.html). As part of fixing this situation, Infra has established a policy for GitHub Actions use: From 1969e95e80da4d5853f8627014185c0e593dbc02 Mon Sep 17 00:00:00 2001 From: Robert Stupp Date: Mon, 9 Mar 2026 08:55:56 +0100 Subject: [PATCH 3/3] HTML links --- content/pages/github-actions-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/pages/github-actions-policy.md b/content/pages/github-actions-policy.md index 1fb287408..9f3019ca5 100644 --- a/content/pages/github-actions-policy.md +++ b/content/pages/github-actions-policy.md @@ -9,8 +9,8 @@ For additional advice on how to use this feature safely, see GitHub Dependabot for the `github-actions` ecosystem +* Forking Renovate using the GitHub actions manager ### Resource use Due to misconfigurations in their builds, some projects have been using unsupportable numbers of [GitHub Actions](github-actions-secrets.html). As part of fixing this situation, Infra has established a policy for GitHub Actions use: