Main Branch

Fundamentals first, always

Issue #18

🔄 Main Branch: The One Where Your Hooks Update Themselves

By Andrea Griffiths • Leer en Español
dependabot pre-commit oidc github-actions
Listen to article

Hiya friends,

March is moving fast. Two solid things shipped this week. Neither has anything to do with AI. Both will save you headaches.

You already trust Dependabot to keep your npm packages and Actions versions fresh. But your pre-commit hooks? You’ve been on your own. Until now.

🚢 What shipped

Dependabot now supports pre-commit hooks (GA)

If you use pre-commit, you know the pattern. Someone runs pre-commit autoupdate once. Nobody does it again. Six months later the linter hook is ancient and the team has normalized the pain.

Dependabot now supports pre-commit hook updates as a first-class ecosystem. That means it can watch your .pre-commit-config.yaml, detect when your rev pins are behind, and open PRs automatically.

Add this to dependabot.yml:

version: 2
updates:
  - package-ecosystem: "pre-commit"
    directory: "/"
    schedule:
      interval: "weekly"

What I like about the implementation:

  • It keeps your YAML formatting intact.
  • PRs include release notes, so you can actually review what changed.
  • Grouped updates are supported, which matters when your hook list is long.
  • local and meta hooks are skipped automatically.
  • It works even when hooks are hosted outside GitHub.

Net effect: your repo stops depending on somebody’s memory to stay current. Read more on the changelog.

GitHub Actions OIDC tokens can include repository custom properties (Public Preview)

OIDC for GitHub Actions is already the cleanest way to authenticate workflows into cloud providers without long-lived secrets. The hard part is always policy sprawl.

GitHub is rolling out a public preview that lets you include repository custom properties as claims in Actions OIDC tokens. The platform shape is the interesting part:

  • An org admin defines what gets emitted.
  • Repos set property values.
  • Tokens carry those attributes.
  • Cloud trust policies filter on the attributes.

If you’re implementing this, start from the official OIDC docs and the OIDC customization REST endpoints.

📖 What I’m Reading

Die with Zero by Bill Perkins. The OctoVets book club pick this month. Perkins argues that most disciplined savers — engineers especially — spend their healthiest years accumulating money they never fully use. His central idea: a dollar spent on an experience at 30 generates decades of memories. The same dollar at 75? Barely moves the needle. He calls this the “memory dividend.” I find myself torn on this one. I’m working hard to give my kids experiences and to pay the bills. The framework is useful, but Perkins writes from a position of already having millions, which definitely colors his “just spend it” advice.

Worth your time if: you’re the type who needs permission to enjoy the money you’ve earned while you’re young enough to actually enjoy it.

🔧 What I’m Using

TRMNL: a small e-ink display that cycles through black-and-white feeds. GitHub commit graph, weather, custom dashboards. No notifications, no color, no dopamine tricks. Just calm data on your desk. I’ve had it on my desk a couple of days and I already get the hype.

✨ This Week

I blinked and it’s spring. I’ve mapped out my work travel for the year now and made a conscious effort to not overcommit. You know that meme about waiting for things to slow down? They never do. So I’m trying to be more present, more mindful, and not let the year just skip ahead. If you’re feeling the same pull — maybe this is your sign to look at your calendar and protect some empty space.

That’s it, your hooks deserve the same attention as your packages.

With gratitude, I’ll see you next week,

Andrea

📌 P.S. GitHub’s CTO Vlad Fedorov wrote about why availability has been rough lately and what the team is doing to fix it. No spin, just the plan. Worth a read.

🇨🇴 Lee el boletín en español.