Skip to content

Revert tag-pin accommodations now that self-references are SHA-pinned #426

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem. First-party self-references are moving from tag pins (@v8.0.0 # x-release-please-version) to commit-SHA pins (see the fix PR for the platform SHA-pin-policy breakage). Three accommodations existed solely for the tag pins and are now obsolete:

  1. This repo's sha_pinning_required Actions policy is disabled (the documented "repo policy exception"). It can be re-enabled — declaratively via devantler-tech/.github deploy/ where possible.
  2. CodeQL runs via advanced setup with actions/unpinned-tag excluded (.github/workflows/active-codeql.yaml + .github/codeql/codeql-config.yml) because that query flagged the intentional tag pins. The exclusion can be dropped (or the repo returned to default setup).
  3. Any zizmor by-owner unpinned-uses allowance for first-party tag refs can be tightened.

Proposal. After the SHA-pin PR merges and the next release ships: re-enable the repo policy, drop the CodeQL query exclusion, tighten zizmor config. Also verify consumers (platform first) pick up the released SHA bump via Renovate/Dependabot so their scheduled workflows go green.

Acceptance criteria.

  • sha_pinning_required enabled on devantler-tech/actions (declarative where the tooling allows)
  • CodeQL actions/unpinned-tag exclusion removed and CodeQL green
  • zizmor config carries no first-party unpinned-tag allowance
  • platform Update Agent Skills + TODOs scheduled runs green on the new release

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions