Typeform · pannago · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
@@ -1,14 +1,41 @@
 version: 2
 
 updates:
-- package-ecosystem: github-actions
-  directory: "/"
-  schedule:
-    interval: weekly
-    day: sunday
-  groups:
-    dependencies:
-      patterns:
-        - "*"
-  commit-message:
-    prefix: fix(bot)
+  - package-ecosystem: npm
+    schedule:
+      interval: weekly
+      day: sunday
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"
+    directories:
+      - "/**/*"
+    commit-message:
+      prefix: fix(dependabot)
+
+  - package-ecosystem: github-actions
+    schedule:
+      interval: weekly
+      day: sunday
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"
+    # recursively check in all subdirectories, there are actions
+    # references that are not within the .github/ or other root folders
+    directories:
+      - "/**/*"
+    exclude-paths: # use .github-private workflows unaccessible to dependabot
+      - "reusable-workflows/frontend-pr-workflow/workflow.yml"
+      - ".github/workflows/frontend-deploy-workflow.yml"
+      - ".github/workflows/frontend-pr-workflow.yml"
+      - ".github/workflows/deep-purple-checks.yml"
+    ignore:
+      - dependency-name: "Typeform/ci-standard-checks"
+      # ignore dependencies from private repos. This alone does not prevent
+      # errors in dependabot, the "exclude-paths" is required as well
+      - dependency-name: "Typeform/.github-private/actions/aws-auth"
+      - dependency-name: "Typeform/deep-purple-action"
+    commit-message:
+      prefix: fix(dependabot)
@@ -24,7 +24,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: Check Out Source Code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - uses: actions/setup-node@v6

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - uses: go-semantic-release/action@v1
         with:

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Verify Jenkins credentials
         continue-on-error: false

@@ -248,8 +248,7 @@ on:
       slack-channel:
         description: 'Slack channel for deployment notifications (e.g., tfprod-deploy)'
         type: string
-        default: 'poc-tfprod-admin-deploy'
-
+        default: 'tfprod-deploy'
     secrets:
       GH_TOKEN:
         required: true
@@ -299,7 +298,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
@@ -347,7 +346,7 @@ jobs:
           echo "📋 Workflow version: ${{ env.WORKFLOW_VERSION }} (${{ env.WORKFLOW_FILE }})"
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: build-${{ github.run_id }}
           path: ${{ inputs.build-artifact-path || inputs.build-output-dir }}
@@ -363,7 +362,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Required for SonarCloud
 
@@ -397,7 +396,7 @@ jobs:
 
       - name: Upload coverage
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-${{ github.run_id }}
           path: coverage/
@@ -413,7 +412,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
@@ -460,7 +459,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: integration-test-results-${{ github.run_id }}
           path: playwright-report/
@@ -565,7 +564,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           token: ${{ secrets.GH_TOKEN }}
           fetch-depth: 0
@@ -674,10 +673,8 @@ jobs:
           slack-channel: ${{ inputs.slack-channel }}
           app-name: ${{ inputs.app-name }}
           deployment-status: ${{ needs.deploy.result }}
-          cdn-url: ${{ inputs.cdn-url }}
           github-sha: ${{ github.sha }}
           github-actor: ${{ github.actor }}
-          github-ref-name: ${{ github.ref_name }}
           github-repository: ${{ github.repository }}
           github-server-url: ${{ github.server_url }}
           github-run-id: ${{ github.run_id }}

@@ -82,7 +82,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Required for SonarCloud and semantic-release
 
@@ -113,7 +113,7 @@ jobs:
 
       - name: SonarCloud Scan
         if: inputs.run-sonarcloud
-        uses: SonarSource/sonarqube-scan-action@v6
+        uses: SonarSource/sonarqube-scan-action@v7
         with:
           args: >
             -Dsonar.projectKey=${{ inputs.sonar-project-key != '' && inputs.sonar-project-key || format('{0}_{1}', github.repository_owner, github.event.repository.name) }}

@@ -301,7 +301,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
@@ -359,7 +359,7 @@ jobs:
 
       - name: Upload build artifacts
         if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: build-${{ github.run_id }}
           path: ${{ inputs.build-artifact-path || inputs.build-output-dir }}
@@ -375,7 +375,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
@@ -407,7 +407,7 @@ jobs:
 
       - name: Upload coverage
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-${{ github.run_id }}
           path: coverage/
@@ -423,7 +423,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1
@@ -470,7 +470,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: integration-test-results-${{ github.run_id }}
           path: playwright-report/
@@ -489,7 +489,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node with Cache
         uses: Typeform/.github/shared-actions/setup-node-with-cache@v1

@@ -54,10 +54,10 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Check out repository containing linter config
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: ${{ inputs.golangci-lint-config-repo }}
           ref: ${{ inputs.golangci-lint-config-repo-ref }}

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Node.js
         uses: actions/setup-node@v6

@@ -59,16 +59,16 @@ jobs:
     runs-on: [ "${{ inputs.runner }}" ]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Set up QEMU
         if: ${{ contains(inputs.platforms, ',') }}
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
         with:
           image: 567716553783.dkr.ecr.us-east-1.amazonaws.com/docker-hub/tonistiigi/binfmt:latest
       - name: Set up Docker context for Buildx
         run: docker context create builders
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
         with:
           endpoint: builders
       - name: Set dev prefix on tag
@@ -78,7 +78,7 @@ jobs:
         if: ${{ inputs.prefix != '' }}
         run: echo "VERSION_PREFIX=$(echo ${{inputs.prefix}}-$VERSION_PREFIX)" >> $GITHUB_ENV
       - name: Build and push images
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           build-args: ${{ inputs.build-args }}
           context: ${{ inputs.context }}
@@ -95,7 +95,7 @@ jobs:
         run: echo "VERSION_LATEST=$(echo ${{inputs.prefix}}-$VERSION_LATEST)" >> $GITHUB_ENV
       - name: Push latest image
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           build-args: ${{ inputs.build-args }}
           context: ${{ inputs.context }}

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           # Checkout the Pull Request branch, so that we are not in a detached head state.
           # and can push the re-generated diagrams to the HEAD of the same branch.

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Update major version tag
         run: |
           git config --global user.email "security@typeform.com"

@@ -62,7 +62,7 @@ jobs:
 
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0  # Required for SonarCloud to analyze git history
 
@@ -77,14 +77,14 @@ jobs:
 
       - name: Download coverage artifacts
         if: inputs.coverage-artifact-name != ''
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: ${{ inputs.coverage-artifact-name }}
           path: coverage/
         continue-on-error: true
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v6
+        uses: SonarSource/sonarqube-scan-action@v7
         with:
           args: >
             -Dsonar.projectVersion=${{ github.run_id }}

@@ -14,7 +14,7 @@ runs:
   steps:
     - name: Download build artifacts
       if: ${{ !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: ${{ inputs.artifact-name }}
         path: ${{ inputs.output-dir }}