Skip to content

chore(deps): pin GitHub Actions to verified SHAs and refresh versions#122

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/github-actions-ac25b41920
Closed

chore(deps): pin GitHub Actions to verified SHAs and refresh versions#122
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/github-actions-ac25b41920

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Nov 25, 2025
edited
Loading

Copy link
Copy Markdown

Refreshes the github-actions dependencies to current stable releases, each pinned to the full commit SHA of its tag (verified against upstream) so the ref cannot be moved out from under us. All selected versions are >7 days old to avoid freshly-published compromised releases.

Action bumps

Action From To SHA
actions/checkout v4.2.2 v6.0.3 df4cb1c
peter-evans/create-pull-request v7.0.5 v8.1.1 5f6978f
github/codeql-action v3.28.0 v4.36.2 8aad20d
softprops/action-gh-release v2.2.0 v3.0.0 b430933
pnpm/action-setup (composite) v4.0.0 v6.0.8 0e279bb
actions/setup-node (composite) v4.1.0 v6.4.0 48b55a0

Security review (SHA-level)

  • Every SHA verified against its exact upstream tag (annotated tags peeled to their commit).
  • 7-day cooldown enforced: checkout v7.0.0 (1 day old) and pnpm/action-setup v6.0.9 (3 days old) were too fresh, so fell back to v6.0.3 and v6.0.8 respectively.
  • Advisory scan: github/codeql-action v3.28.0 (current main) is in range of CVE-2025-24362 (token leak in debug artifacts, fixed in 3.28.3); v4.36.2 clears it. No advisories for the other five.
  • Fixed a misleading pin from the original dependabot branch: action-gh-release had a SHA that was actually v2.6.1 while the comment claimed v2.2.0. Comments now match SHAs everywhere.

All CI checks pass.

@dependabot @github

dependabot Bot commented on behalf of github Nov 25, 2025

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ac25b41920 branch from 58a012d to 2749686 Compare December 8, 2025 10:53
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ac25b41920 branch 2 times, most recently from 6c74619 to ad75368 Compare December 29, 2025 09:37
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ac25b41920 branch 2 times, most recently from 37e1ab1 to f68baa0 Compare January 19, 2026 10:25
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ac25b41920 branch from f68baa0 to 92d7ded Compare March 30, 2026 09:31
@bestdan
chore(deps): pin GitHub Actions to verified SHAs and refresh versions
d67620a 
Refresh the github-actions group to current stable releases, each pinned to
the full commit SHA of its tag (verified against upstream) so the ref cannot
be moved out from under us. All selected versions are >7 days old to dodge
freshly-published compromised releases.

- actions/checkout            v4.2.2  -> v6.0.3
- peter-evans/create-pull-request v7.0.5  -> v8.1.1
- github/codeql-action        v3.28.0 -> v4.36.2 (clears CVE-2025-24362)
- softprops/action-gh-release v2.2.0  -> v3.0.0
- pnpm/action-setup           v4.0.0  -> v6.0.8
- actions/setup-node          v4.1.0  -> v6.4.0

The prior dependabot branch pinned action-gh-release to a SHA that was
actually v2.6.1 while the comment claimed v2.2.0; comments now match SHAs.
@bestdan bestdan force-pushed the dependabot/github_actions/github-actions-ac25b41920 branch from 92d7ded to d67620a Compare June 18, 2026 20:19
@bestdan bestdan requested a review from Copilot June 18, 2026 20:19
Copilot AI reviewed Jun 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This Dependabot PR updates pinned GitHub Action revisions across the repo’s CI/release automation workflows and the shared composite setup action.

Changes:

  • Bump actions/checkout pins across workflows to v6.0.3.
  • Bump CodeQL workflow pins to github/codeql-action@v4.36.2.
  • Update release automation actions (softprops/action-gh-release@v3.0.0, peter-evans/create-pull-request@v8.1.1) and the composite setup action (pnpm/action-setup@v6.0.8, actions/setup-node@v6.4.0).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
.github/workflows/tag-version.yml Bumps actions/checkout pin used for tagging after version bump merges.
.github/workflows/release.yml Bumps actions/checkout and softprops/action-gh-release pins used during manual releases.
.github/workflows/copilot-setup-steps.yml Bumps actions/checkout pin used by the Copilot setup workflow.
.github/workflows/codeql.yml Bumps actions/checkout and CodeQL action pins for security scanning.
.github/workflows/ci.yml Bumps actions/checkout pins across CI jobs.
.github/workflows/auto-version-bump.yml Bumps actions/checkout and peter-evans/create-pull-request pins for automated version bump PRs.
.github/actions/setup/action.yml Updates pnpm + Node setup action pins used by workflows.

Comment thread .github/workflows/auto-version-bump.yml
Comment on lines 61 to +62
- name: Create Pull Request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
Comment thread .github/workflows/release.yml
Comment on lines 87 to 89
- name: Create GitHub Release
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.2.0
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
Comment thread .github/workflows/codeql.yml
Comment on lines 31 to 33
- name: Initialize CodeQL
uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
Comment thread .github/actions/setup/action.yml Outdated
Comment on lines 7 to 9
- name: Setup pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
Comment thread .github/actions/setup/action.yml
Comment on lines 12 to 15
- name: Setup Node.js 22.14.0
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: '.nvmrc'
@bestdan bestdan changed the title chore(deps): bump the github-actions group with 4 updates chore(deps): pin GitHub Actions to verified SHAs and refresh versions Jun 18, 2026
@bestdan
chore(deps): drop redundant pnpm version input
e2a6846 
action-setup now resolves the version from package.json's packageManager
field (pnpm@9.0.0); the explicit version input duplicated it.
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/github-actions-ac25b41920 branch June 29, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bestdan