Expand dependabot config for GitHub Actions across maintained branches

[Copilot]

Description

Resolves issue where dependabot only updates GitHub Actions in main branch workflows, but many workflows run on other maintained branches.

Changes:

• Added GitHub Actions dependabot entries for 2.x, 2.14.x, 3.0.x, 3.1.x branches
• Each entry includes daily schedule, 5-day cooldown, and branch-specific labels
• Explicitly set target-branch: main on existing GitHub Actions entry for clarity

Note: Dependabot reads configuration from the default branch only. The target-branch setting controls which branches receive update PRs. No changes needed in other branches.

Release notes

Related issues

Closes #4854 follow-up task

How to test

1. Review .github/dependabot.yml - verify entries exist for all target branches
2. After merge, monitor for dependabot PRs targeting non-main branches
3. Verify PRs include appropriate branch-specific labels

Types of changes

Arizona Quickstart (install profile, custom modules, custom theme)

• Patch release changes
  • Bug fix
  • Accessibility, performance, or security improvement
  • Critical institutional link or brand change
  • Adding experimental module
  • Update experimental module
• Minor release changes
  • New feature
  • Breaking or visual change to existing behavior
  • Upgrade experimental module to stable
  • Enable existing module by default or database update
  • Non-critical brand change
  • New internal API or API improvement with backwards compatibility
  • Risky or disruptive cleanup to comply with coding standards
  • High-risk or disruptive change (requires upgrade path, risks regression, etc.)
• Other or unknown
  • Other or unknown

Drupal core

• Patch release changes
  • Security update
  • Patch level release (non-security bug-fix release)
  • Patch removal that's no longer necessary
• Minor release changes
  • Major or minor level update
• Other or unknown
  • Other or unknown

Drupal contrib projects

• Patch release changes
  • Security update
  • Patch or minor level update
  • Add new module
  • Patch removal that's no longer necessary
• Minor release changes
  • Major level update
• Other or unknown
  • Other or unknown

Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My change requires release notes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Expand dependabot config for GitHub actions</issue_title>
<issue_description><!--
⚠️ Public content warning ⚠️
Issues created in this repository will be publicly available on the Internet. Please do not include any sensitive or internal information in your issue.

🔒 Reporting security vulnerabilities 🔒
Do not create issues about security vulnerabilities. Please consult our security policy for instructions about how to safely report a security issue: https://github.com/az-digital/az_quickstart/security/policy
-->

Motivation

We recently made some changes to our dependabot configuration for GitHub Actions in #4854:

• Pin GitHub actions to specific releases/revisions
• Enable cooldown period for GitHub Actions updates

Since then we've noticed that, because many of our workflows are run on branches other than main, we should enable dependabot to update those workflows in our other maintained branches as well.

Proposed Resolution

Enable GitHub Actions updates for additional target branches (not just main):

• 2.x development branch
• Active release branches: 2.14.x, 3.0.x, 3.1.x</issue_description>

<agent_instructions>- Update dependabot configuration to enable GitHub actions updates for the additional target branches identified in the issue description.

• Determine if the dependabot configuration file needs to be updated in the target branches as well in order for these changes to take effect. Please create additional PRs for the other target branches if so.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Expand dependabot config for GitHub actions #5098

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[joeparsons]

@copilot, upon further review, it seems that only the ci and create-release workflows are ever really run on branches other than main so we should only need dependabot to update those specific workflows for other target branches.

[joeparsons]

@copilot, upon further review, it seems that only the ci and create-release workflows are ever really run on branches other than main so we should only need dependabot to update those specific workflows for other target branches.

@copilot please update the configuration to only apply updates to the specific workflows mentioned for the additional target branches

[Copilot]

@copilot, upon further review, it seems that only the ci and create-release workflows are ever really run on branches other than main so we should only need dependabot to update those specific w...

Unfortunately, dependabot's github-actions ecosystem doesn't support file-level filtering - it operates at the directory level (.github/workflows/). When targeting a branch, it checks all workflow files in that branch.

The current configuration is correct for the constraint. In practice, dependabot will update all workflows in each target branch, but only the updates to ci.yml and create-release.yml will be meaningful since those are the only workflows that run on those branches. Updates to other workflows will be harmless but less relevant.

If you'd prefer a different approach, we could consider:

1. Keep current config (cleanest, ensures all workflows stay updated)
2. Remove target branches for 2.14.x, 3.0.x, 3.1.x and only keep 2.x (reduces PR volume)
3. Accept manual updates for non-main branches

Let me know your preference.

[Copilot]

@copilot, upon further review, it seems that only the ci and create-release workflows are ever really run on branches other than main so we should only need dependabot to update those specific...

I've researched all available options, but dependabot's github-actions ecosystem doesn't provide a mechanism to target specific workflow files. The available configuration options are:

1. directory - works at folder level only (would require reorganizing workflows into subdirectories)
2. ignore - only filters by action name (e.g., actions/checkout), not workflow files

The most practical options are:

1. Keep current config - Dependabot updates all workflows, but only ci.yml and create-release.yml matter for these branches
2. Remove release branch targets - Only configure main and 2.x to reduce PR volume
3. Restructure workflows - Move ci.yml and create-release.yml to a subdirectory (significant change)

Would you like me to implement option #2 (remove 2.14.x, 3.0.x, 3.1.x targets) as the best compromise?