ci: track GitHub Actions versions with Dependabot

[ryota-murakami]

What

Add a github-actions ecosystem to Dependabot so GitHub Actions versions are tracked and bumped automatically.

Why

Dependabot only watched the npm ecosystem. GitHub Actions majors (actions/checkout@v4, setup-node@v4, upload-artifact@v4, pnpm/action-setup@v4) and the SHA-pinned actions (appleboy/ssh-action, appleboy/scp-action, actions/download-artifact, plus a few SHA-pinned checkout/upload calls) received no update PRs and were silently going stale — including the Node 24 runtime migration (v4 actions still run on Node 20).

What changes

• New github-actions entry: directory: /, daily schedule, open-pull-requests-limit: 10.
• Grouped into a single PR (groups.github-actions.patterns: ['*']), mirroring the existing npm all-dependencies group, to keep PR noise low.
• Covers .github/workflows/* and the local composite action under .github/actions/.

Impact

• No production impact — deploy triggers only on push to main; this is config-only.
• Expect Dependabot to open one grouped action-bump PR on its next daily run (likely v4→v5 / Node 24 runtime bumps + SHA refreshes), which you review like any other.

Test

• python3 -c "import yaml; yaml.safe_load(open('.github/dependabot.yml'))" → YAML OK, ecosystems ['npm', 'github-actions'].

Summary by CodeRabbit

• Chores
  • Updated automated dependency management to regularly check and update GitHub Actions dependencies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c3012cb6-a87d-42ba-a501-d9dff7972c19

📥 Commits

Reviewing files that changed from the base of the PR and between 71f4dc0 and 2e9a813.

📒 Files selected for processing (1)

• .github/dependabot.yml

---

📝 Walkthrough

Walkthrough

Adds GitHub Actions update configuration to Dependabot, enabling automated daily checks for GitHub Actions versions and SHA updates. All action version bumps are grouped into a single pull request with a 10 PR limit per directory.

Changes

Dependabot Configuration

Layer / File(s)	Summary
GitHub Actions update configuration .github/dependabot.yml	Adds a github-actions ecosystem update rule to Dependabot with daily schedule, PR grouping, and configuration to prevent GitHub Actions versions from going stale.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through workflows bright,
No more stale actions in the night!
Dependabot springs to action fast,
GitHub versions won't go past,
Bundled updates, clean and tight!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: track GitHub Actions versions with Dependabot' directly and accurately summarizes the main change: adding Dependabot tracking for GitHub Actions versions in the CI configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-github-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}