Skip to content

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#112

Merged
mahangu merged 4 commits into
mainfrom
chore/pin-and-enable-dependabot
Jun 7, 2026
Merged

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#112
mahangu merged 4 commits into
mainfrom
chore/pin-and-enable-dependabot

Conversation

@mahangu

@mahangu mahangu commented May 31, 2026

Copy link
Copy Markdown
Contributor

Two-in-one hardening:

  1. Pin third-party GitHub Actions in this repo to commit SHAs (tag preserved as trailing comment).
  2. Add Dependabot github-actions config (weekly, grouped into actions-minor-patch and actions-major, with cooldown).

Tracking: DEVPROD-1072.

lastnode and others added 3 commits May 31, 2026 15:54
@lastnode
chore: pin third-party GitHub Actions to SHAs + enable Dependabot
8c35fcd 
Hardens against supply-chain risk on mutable tags. Dependabot keeps
the pinned SHAs fresh weekly, with major bumps held under cooldown.

Tracking: DEVPROD-1072
@lastnode
chore: correct misleading version comment (# v0.1.5 -> # v1)
8884c2b 
The SHA pin is correct (softprops/turnstyle@v1 dereferences to that
commit). pinact wrote # v0.1.5 because v1 and v0.1.5 share the same
underlying commit on this action; this changes the comment to reflect
the original intent (@v1) so reviewers and Dependabot see the right
version label.

Tracking: DEVPROD-1072
@mahangu
chore: use specific # v0.1.5 label for softprops/turnstyle pin
ee9643a 
softprops/turnstyle has not released past v0.1.5 (the v1 tag was last
moved in 2022; v1 and v0.1.5 are the SAME underlying commit). Use the
specific # v0.1.5 label so the version is explicit. SHA unchanged.

Verified via gh api: both refs/tags/v1 and refs/tags/v0.1.5 dereference
to commit 8db075d65b19bf94e6e8687b504db69938dc3c65.

Tracking: DEVPROD-1072
@mahangu mahangu requested a review from jeherve June 1, 2026 02:17
@mahangu

mahangu commented Jun 1, 2026

Copy link
Copy Markdown
Contributor Author

Note on the softprops/turnstyle version label: the workflow currently uses softprops/turnstyle@v1. Upstream v1 and v0.1.5 both resolve to the same commit, 8db075d65b19bf94e6e8687b504db69938dc3c65. This PR pins that exact existing commit and uses the more specific release label v0.1.5; it is not a downgrade or a behavior change from the current v1 ref.

@mahangu mahangu merged commit e37c46a into main Jun 7, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeherve jeherve Awaiting requested review from jeherve

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mahangu @lastnode