Dependabot not finding outdated actions outside of workflows

[steveoh]

Custom actions outside the .gitbub/workflows directory are not being seen by dependabots current configuration:

updates:
  - package-ecosystem: github-actions
    directory: /
    target-branch: staging
    schedule:
      interval: monthly
    groups:
      ci-dependencies:
        dependency-type: 'production'

The warnings are in the annotations of some action runs yet we haven't seen a dbot pr for them. These custom actions, typically found in .github/actions, are used in a few other repositories and this fix should ripple through those repos.

• agrc/deq-eid-skid
• agrc/gcp-terraform
• agrc/project-moonwalk
• agrc/nfhl-skid
• agrc/porter
• agrc/wmrc-skid

A couple ideas to try could be

• Moving the .github/actions folder to be a sibling of .github/workflows to determine if dependabot is only searching in the .github/workflows directory by convention.

• Migrate the directory prop to directories adding the custom location.

   updates:
     - package-ecosystem: github-actions
       directories: 
         - /
         - .github/actions
       target-branch: staging
       schedule:
         interval: monthly
       groups:
         ci-dependencies:
           dependency-type: 'production'

[stdavis]

/remind me to check on this in two months

[github-actions]

@stdavis set a reminder for 2025-07-29

[stdavis]

I think that I finally got this working with this commit: 5e2616d

Even though the docs seem to indicate that globbing is supported, I couldn't get it to work. Each directory needs to be explicitly included.

BTW - what happened to my reminder?....