[READY TO SHIP] - Dependabot Updates now can keep Github Actions reus…

…able workflows up to date - [GA] (github#35285)

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -190,6 +190,12 @@ You can help mitigate this risk by following these good practices:
 
 The same principles described above for using third-party actions also apply to using third-party workflows. You can help mitigate the risks associated with reusing workflows by following the same good practices outlined above. For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)."
 
+{% ifversion not ghae %}
+## Using {% data variables.product.prodname_dependabot_version_updates %} to keep actions up to date
+
+You can use {% data variables.product.prodname_dependabot_version_updates %} to ensure that references to actions{% ifversion dependabot-updates-actions-reusable-workflows %} and reusable workflows{% endif %} used in your repository are kept up to date. Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. {% data variables.product.prodname_dependabot_version_updates %} take the effort out of maintaining your dependencies as {% data variables.product.prodname_dependabot %} does this automatically for you. For more information, see "[AUTOTITLE](/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)."
+{% endif %}
+
 {% ifversion required-workflows %}
 
 ## Required workflows

content/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.md

@@ -25,8 +25,15 @@ shortTitle: Auto-update actions
 
 ## About {% data variables.product.prodname_dependabot_version_updates %} for actions
 
-Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions)."
-
+Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file{% ifversion dependabot-updates-actions-reusable-workflows %} and reusable workflows used inside workflows{% endif %} are kept up to date. 
+
+For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[AUTOTITLE](/actions/learn-github-actions)."
+
+{% ifversion dependabot-updates-actions-reusable-workflows %} 
+{% data variables.product.prodname_dependabot %} also checks workflow files for uses of reusable workflows, and updates the git reference for these called reusable workflows. For more information about reusable workflows, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)."
+
+{% endif %}
+
 {% data reusables.actions.workflow-runs-dependabot-note %}
 
 ## Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions

data/features/dependabot-updates-actions-reusable-workflows.yml

@@ -0,0 +1,5 @@
+# Reference: Issue #9693 -  Dependabot Updates now can keep Github Actions reusable workflows up to date - [GA]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.8'

data/reusables/actions/workflow-runs-dependabot-note.md

@@ -1,7 +1,7 @@
 {% ifversion fpt or ghec %}
 {% note %}
 
-**Note:**  Workflow runs triggered by {% data variables.product.prodname_dependabot %} pull requests run as if they are from a forked repository, and therefore use a read-only `GITHUB_TOKEN`. These workflow runs cannot access any secrets. See ["Keeping your GitHub Actions and workflows secure: Preventing pwn requests"](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) for strategies to keep these workflows secure.
+**Note:**  Workflow runs triggered by {% data variables.product.prodname_dependabot %} pull requests run as if they are from a forked repository, and therefore use a read-only `GITHUB_TOKEN`. These workflow runs cannot access any secrets. For information about strategies to keep these workflows secure, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions)."
 
 {% endnote %}
 {% endif %}