build(deps): bump peter-evans/repository-dispatch from 1 to 2

[dependabot]

Bumps peter-evans/repository-dispatch from 1 to 2.

Release notes

Sourced from peter-evans/repository-dispatch's releases.

Repository Dispatch v2.0.0

What's New

• Updated runtime to Node.js 16
  • The action now requires a minimum version of v2.285.0 for the Actions Runner.
  • If using GitHub Enterprise Server, the action requires GHES 3.4 or later.

What's Changed

• Remove workflow by @​peter-evans in peter-evans/repository-dispatch#95
• Update runtime to node 16 by @​peter-evans in peter-evans/repository-dispatch#106
• 15 dependency updates by @​actions-bot and @​dependabot

Full Changelog: peter-evans/repository-dispatch@v1.1.3...v2.0.0

Repository Dispatch v1.1.3

• Improved error message for 404 errors. These errors can also be a result of insufficient token permissions.

Repository Dispatch v1.1.2

• Dependency updates

Repository Dispatch v1.1.1

• Dependency updates

Repository Dispatch v1.1.0

• Converted action to Typescript
• Minor improvements

Repository Dispatch v1.0.1

• Dependency updates

Commits

• 26b39ed Update workflow
• b155cf1 Update readme
• faa2bf0 Update readme
• 0bc97bd Bump @​types/node from 16.11.11 to 18.11.11 (#134)
• 8ab3ab8 Bump @​vercel/ncc from 0.32.0 to 0.36.0 (#133)
• defb7de Bump eslint-plugin-github from 4.3.5 to 4.6.0 (#130)
• fb1da2a Bump jest-circus from 27.4.2 to 29.3.1 (#132)
• ec896de Bump prettier from 2.5.0 to 2.8.1 (#131)
• 9255d35 Update workflow
• f8e700e Add automerge workflow
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

Merging #1586 (54b76a2) into main (028bfce) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1586   +/-   ##
=======================================
  Coverage   81.78%   81.78%           
=======================================
  Files         158      158           
  Lines       14759    14759           
=======================================
  Hits        12071    12071           
  Misses       2264     2264           
  Partials      424      424           

Flag	Coverage Δ
unittests	81.78% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

[dimakis]

I'd recommend pinning the SHA of any external actions.

[machi1990]

I'd recommend pinning the SHA of any external actions.

+1, this can be addressed separately. Do you @dimakis or @jackdelahunt see any issue with this update? It's the one used to notify the SDK repo of the changes.

[miguelsorianod]

I'd recommend pinning the SHA of any external actions.

What is the reason for it? I am trying to understand the issue. Dependabot will notify about new changes on them but not automatically upgrade them unless we approve it

[jackdelahunt]

What is the reason for it? I am trying to understand the issue. Dependabot will notify about new changes on them but not automatically upgrade them unless we approve it

I think this is mentioning the same issues as this PR noted. Even though the version may stay the same things can change.

[miguelsorianod]

What is the reason for it? I am trying to understand the issue. Dependabot will notify about new changes on them but not automatically upgrade them unless we approve it

I think this is mentioning the same issues as this PR noted. Even though the version may stay the same things can change.

What would be the criteria then to decide if an action is trusted or not?
As a side note, if we decide that an action is not trusted then we would pin to the SHA. Which means we would never use the automated updates provided by dependabot.

[dimakis]

What is the reason for it? I am trying to understand the issue. Dependabot will notify about new changes on them but not automatically upgrade them unless we approve it

I think this is mentioning the same issues as this PR noted. Even though the version may stay the same things can change.

What would be the criteria then to decide if an action is trusted or not? As a side note, if we decide that an action is not trusted then we would pin to the SHA. Which means we would never use the automated updates provided by dependabot.

In the RedHat-developer org we are moving towards trusting GH actions and companies like Docker etc. whilst any solo contributor's action would be a pinned SHA, it comes on advice from the prod sec team

[dimakis]

I'd recommend pinning the SHA of any external actions.

+1, this can be addressed separately. Do you @dimakis or @jackdelahunt see any issue with this update? It's the one used to notify the SDK repo of the changes.

I don't see any issue, but to be honest I don't know a whole lot about this 🤦

[machi1990]

I don't see any issue, but to be honest I don't know a whole lot about this facepalm

Thanks @dimakis From looking at the changelog, it should be safe to merge.