Disable renovate#1086
Conversation
|
🐕 Review complete — View session on Shuni Portal 🐾 |
![shuni-bot-dev[bot]](https://avatars.githubusercontent.com/u/97479186?s=60&v=4){kind=small}
There was a problem hiding this comment.
🐕 Shuni's Review
Disables Renovate and switches the internal install action reference from a pinned SHA to @main in the published export/import composite actions.
Sniffed out 1 issue:
- 1 🟡 MEDIUM: floating
@mainref in marketplace composite actions breaks downstream pinning
See inline comments for details. Woof!
| steps: | ||
| - name: Install Descope CLI | ||
| uses: descope/descopecli/.github/actions/install@9163e884e1c1af93784b265a3dc048f4040b63ad # main | ||
| uses: descope/descopecli/.github/actions/install@main |
There was a problem hiding this comment.
🟡 MEDIUM: Switching from a pinned SHA to @main for the nested install action breaks reproducibility for downstream consumers.
export and import are marketplace composite actions (note the branding: block). When an external user pins descope/descopecli/.github/actions/export@<sha-or-tag>, the action.yml at that version will still resolve install@main at runtime — so any change on main (Go version bump, install logic change, or a malicious push) immediately affects every pinned consumer. The previous SHA-pin + Renovate pattern provided immutable refs and supply-chain hardening; disabling Renovate without keeping SHA pins removes both.
If the goal is just to stop the Renovate PR churn, consider keeping the SHA pin and updating it manually on release, or pinning to a tag (e.g. @v0.8.14) that moves on intentional cuts rather than every main commit.
| steps: | ||
| - name: Install Descope CLI | ||
| uses: descope/descopecli/.github/actions/install@9163e884e1c1af93784b265a3dc048f4040b63ad # main | ||
| uses: descope/descopecli/.github/actions/install@main |
There was a problem hiding this comment.
🟡 MEDIUM: Same concern as export/action.yml:36 — install@main floats for every downstream consumer that pins this composite action to a tag or SHA. Any change on main propagates immediately to all pinned users, undermining the reproducibility and supply-chain guarantees that pinning is meant to provide.
There was a problem hiding this comment.
Pull request overview
This PR aims to stop Renovate from opening PRs in this repository and adjusts the repo’s composite GitHub Actions to consume the install action from the main branch.
Changes:
- Disable Renovate via
renovate.json("enabled": false). - Update the import/export composite actions to use
descope/descopecli/.github/actions/install@maininstead of a pinned commit SHA.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| renovate.json | Disables Renovate for the repository. |
| .github/actions/import/action.yml | Switches the referenced install action ref from a pinned SHA to main. |
| .github/actions/export/action.yml | Switches the referenced install action ref from a pinned SHA to main. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - name: Install Descope CLI | ||
| uses: descope/descopecli/.github/actions/install@9163e884e1c1af93784b265a3dc048f4040b63ad # main | ||
| uses: descope/descopecli/.github/actions/install@main |
| steps: | ||
| - name: Install Descope CLI | ||
| uses: descope/descopecli/.github/actions/install@9163e884e1c1af93784b265a3dc048f4040b63ad # main | ||
| uses: descope/descopecli/.github/actions/install@main |
| ], | ||
| "enabled": false |
No description provided.