From e1a9ae853e05fa986d787749ef0bba369fd6fbc4 Mon Sep 17 00:00:00 2001
From: godofredoc <godofredoc@google.com>
Date: Fri, 25 Feb 2022 17:15:18 -0800
Subject: [PATCH] Remove schedule runs of scorecards. (#38)

This will also add dependabot to auto update the workflows dependencies.

Bug: https://github.com/flutter/flutter/issues/99185
---
 impeller/.github/dependabot.yml                  | 16 ++++++++++++++++
 .../.github/workflows/scorecards-analysis.yml    | 10 ++++------
 2 files changed, 20 insertions(+), 6 deletions(-)
 create mode 100644 impeller/.github/dependabot.yml

diff --git a/impeller/.github/dependabot.yml b/impeller/.github/dependabot.yml
new file mode 100644
index 0000000000000..7c509aff972c4
--- /dev/null
+++ b/impeller/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# See Dependabot documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "hixie"
+      - "godofredoc"
+    labels:
+      - "team"
+      - "team: infra"
+      - "waiting for tree to go green"
diff --git a/impeller/.github/workflows/scorecards-analysis.yml b/impeller/.github/workflows/scorecards-analysis.yml
index 8f29792baba4b..4866e8dead094 100644
--- a/impeller/.github/workflows/scorecards-analysis.yml
+++ b/impeller/.github/workflows/scorecards-analysis.yml
@@ -2,8 +2,6 @@ name: Scorecards supply-chain security
 on:
   # Only the default branch is supported.
   branch_protection_rule:
-  schedule:
-    - cron: '37 18 * * 2'
   push:
     branches: [ main ]
 
@@ -22,12 +20,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@b614d455ee90608b5e36e3299cd50d457eb37d5f # v1.0.3
+        uses: ossf/scorecard-action@b614d455ee90608b5e36e3299cd50d457eb37d5f
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,7 +40,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
         with:
           name: SARIF file
           path: results.sarif
@@ -50,6 +48,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5
         with:
           sarif_file: results.sarif