ci: switch to weekly dependabot updates

Apparently some dependencies get updated much more often than I would have exepected. It can always be triggered manually at https://github.com/systemd/systemd/network/dependencies if there are any urgent updates
build(deps): bump github/super-linter from 4.8.3 to 4.8.4
2026-04-06 23:24:52 +02:00 · 2021-11-17 12:16:57 +00:00 · 2021-11-17 10:59:41 +00:00 · 2021-11-17 10:53:03 +00:00 · 2021-11-17 10:14:33 +00:00
4 changed files with 11 additions and 6 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -5,5 +5,5 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "weekly"
    open-pull-requests-limit: 2
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -5,6 +5,8 @@
 name: "CodeQL"

 on:
+  pull_request:
+    branches: [main]
  # It takes the workflow approximately 30 minutes to analyze the code base
  # so it doesn't seem to make much sense to trigger it on every PR or commit.
  # It runs daily at 01:00 to avoid colliding with the Coverity workflow.
@ -18,6 +20,7 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event.pull_request.user.login == 'dependabot[bot]'
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -29,7 +29,7 @@ jobs:
          fetch-depth: 0

      - name: Lint Code Base
-        uses: github/super-linter@7d5dc989c55aaba9d3b7194a7496cdfaa4866af3
+        uses: github/super-linter@563be7dc5568017515b9e700329e9c6d3862f2b7
        env:
          DEFAULT_BRANCH: main
          # Excludes:
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@ -22,10 +22,12 @@ manager, please consider supporting the following interfaces.
   (that file overrides whatever is pre-initialized by the container manager).

 2. Make sure to pre-mount `/proc/`, `/sys/`, and `/sys/fs/selinux/` before
-   invoking systemd, and mount `/proc/sys/`, `/sys/`, and `/sys/fs/selinux/`
-   read-only in order to prevent the container from altering the host kernel's
-   configuration settings. (As a special exception, if your container has
-   network namespaces enabled, feel free to make `/proc/sys/net/` writable).
+   invoking systemd, and mount `/sys/`, `/sys/fs/selinux/` and `/proc/sys/`
+   read-only (the latter via e.g. a read-only bind mount on itself) in order
+   to prevent the container from altering the host kernel's configuration
+   settings. (As a special exception, if your container has network namespaces
+   enabled, feel free to make `/proc/sys/net/` writable. If it also has user, ipc,
+   uts and pid namespaces enabled, the entire `/proc/sys` can be left writable).
   systemd and various other subsystems (such as the SELinux userspace) have
   been modified to behave accordingly when these file systems are read-only.
   (It's OK to mount `/sys/` as `tmpfs` btw, and only mount a subset of its
Author	SHA1	Message	Date
Evgeny Vereshchagin	0da6973c17	ci: switch to weekly dependabot updates Apparently some dependencies get updated much more often than I would have exepected. It can always be triggered manually at https://github.com/systemd/systemd/network/dependencies if there are any urgent updates	2021-11-17 12:16:57 +00:00
dependabot[bot]	eb37ed701b	build(deps): bump github/super-linter from 4.8.3 to 4.8.4 Bumps [github/super-linter](https://github.com/github/super-linter) from 4.8.3 to 4.8.4. - [Release notes](https://github.com/github/super-linter/releases) - [Changelog](https://github.com/github/super-linter/blob/main/docs/release-process.md) - [Commits](`7d5dc989c5...563be7dc55`) --- updated-dependencies: - dependency-name: github/super-linter dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2021-11-17 10:59:41 +00:00
Luca Boccassi	cc970310a4	CONTAINER_INTERFACE: clarify that /proc/sys can be writable with namespacing When user and network namespaces are enabled, the kernel makes the global keys read-only, and makes the namespaced ones available for the guest already.	2021-11-17 10:53:03 +00:00
Evgeny Vereshchagin	7e7e31521a	ci: run codeql on PRs from Dependabot To make sure PRs like https://github.com/systemd/systemd/pull/21409 don't break anything.	2021-11-17 10:14:33 +00:00