Without Dependabot configured for the github-actions ecosystem, your action version pins (both tag and SHA) go stale. You miss security patches, bug fixes, and the SHA pins needed to stay protected against tag-hijacking attacks.
Add a Dependabot configuration:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
Dependabot automates the otherwise tedious process of keeping SHA pins current, ensuring your workflows get security updates promptly.