The "distribution" for a GitHub Action is checked into the repository itself.
In the case of these actions, the transpiled sources are committed to the dist
directory.
Any production dependencies are inlined into the distribution.
So if a Dependabot PR updates a production dependency (or a dev dependency that changes the distribution, like the Typescript compiler),
then a manual step is required to rebuild the dist and commit.
The simplest process to follow is:
- Checkout the dependabot branch locally eg:
git checkout dependabot/npm_and_yarn/actions/github-5.1.0
- In the
sources
directory, runnpm install
to download NPM dependencies - In the
sources
directory, runnpm run build
to regenerate the distribution - Push the changes to the dependabot branch
- If/when the checks pass, you can merge the dependabot PR