gh-109110: Hash-pin GitHub Actions by pnacht · Pull Request #109111 · python/cpython

It's not visible in the PR diff, but the start of this block in the dependabot.yml file declares it's only for GitHub Actions.

There is another block with - package-ecosystem: pip which handles version bumps for Python dependencies, but it's actually only looking at the /Tools/ directory. And that block doesn't have an ignore field, so CPython is currently receiving minor and patch version bumps for those dependencies (example).

However, Doc/requirements.txt is currently ignored by dependabot version bumps. (But it still receives security updates whenever a dependency has a vulnerability).