How to Make Dependabot Update Actions Inside a Cookiecutter Template
If you maintain a Cookiecutter template that generates GitHub Actions workflows, you have a quiet problem: Dependabot keeps your outer repo's action SHAs current, but it completely ignores the template's workflows. The generated projects ship with whatever versions you happened to pin last.