Use Dependabot to update GitHub Actions workflows

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"

.github/workflows/docs.yml

@@ -36,13 +36,6 @@ jobs:
  PYTHON: "3.11"
 
  steps:
- # Cancel any previous run of the test job
- # We pin the commit hash corresponding to v0.5.0, and not pinning the tag
- # because we are giving full access through the github.token.
- - name: Cancel Previous Runs
- uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163
- with:
- access_token: ${{ github.token }}
 
  # Checks-out your repository under $GITHUB_WORKSPACE
  - name: Checkout
@@ -154,7 +147,7 @@ jobs:
  path: doc/_build/html
 
  - name: Checkout the gh-pages branch in a separate folder
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+ uses: actions/checkout@v2
  with:
  ref: gh-pages
  # Checkout to this folder instead of the current one

.github/workflows/pypi.yml

@@ -109,7 +109,7 @@ jobs:
  - name: Publish to Test PyPI
  # Only publish to TestPyPI when a PR is merged (pushed to main)
  if: success() && github.event_name == 'push'
- uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0
+ uses: pypa/gh-action-pypi-publish@v1.8.11
  with:
  user: __token__
  password: ${{ secrets.TEST_PYPI_TOKEN}}
@@ -121,7 +121,7 @@ jobs:
  - name: Publish to PyPI
  # Only publish to PyPI when a release triggers the build
  if: success() && github.event_name == 'release'
- uses: pypa/gh-action-pypi-publish@bce3b74dbf8cc32833ffba9d15f83425c1a736e0
+ uses: pypa/gh-action-pypi-publish@v1.8.11
  with:
  user: __token__
  password: ${{ secrets.PYPI_TOKEN}}

.github/workflows/test.yml

@@ -57,13 +57,6 @@ jobs:
  DEPENDENCIES: ${{ matrix.dependencies }}
 
  steps:
- # Cancel any previous run of the test job
- # We pin the commit hash corresponding to v0.5.0, and not pinning the tag
- # because we are giving full access through the github.token.
- - name: Cancel Previous Runs
- uses: styfle/cancel-workflow-action@148d9a848c6acaf90a3ec30bc5062f646f8a4163
- with:
- access_token: ${{ github.token }}
 
  # Checks-out your repository under $GITHUB_WORKSPACE
  - name: Checkout
@@ -154,9 +147,10 @@ jobs:
  - name: Upload coverage to Codecov
  uses: codecov/codecov-action@v3
  with:
- token: ${{ secrets.CODECOV_TOKEN }}
  file: ./coverage.xml
  env_vars: OS,PYTHON,DEPENDENCIES
  # Fail the job so we know coverage isn't being updated. Otherwise it
  # can silently drop and we won't know.
  fail_ci_if_error: true
+ env:
+ CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}