🤖 Generated by the Daily AI Assistant
Problem. First-party self-references are moving from tag pins (@v8.0.0 # x-release-please-version) to commit-SHA pins (see the fix PR for the platform SHA-pin-policy breakage). Three accommodations existed solely for the tag pins and are now obsolete:
- This repo's
sha_pinning_required Actions policy is disabled (the documented "repo policy exception"). It can be re-enabled — declaratively via devantler-tech/.github deploy/ where possible.
- CodeQL runs via advanced setup with
actions/unpinned-tag excluded (.github/workflows/active-codeql.yaml + .github/codeql/codeql-config.yml) because that query flagged the intentional tag pins. The exclusion can be dropped (or the repo returned to default setup).
- Any
zizmor by-owner unpinned-uses allowance for first-party tag refs can be tightened.
Proposal. After the SHA-pin PR merges and the next release ships: re-enable the repo policy, drop the CodeQL query exclusion, tighten zizmor config. Also verify consumers (platform first) pick up the released SHA bump via Renovate/Dependabot so their scheduled workflows go green.
Acceptance criteria.
Problem. First-party self-references are moving from tag pins (
@v8.0.0 # x-release-please-version) to commit-SHA pins (see the fix PR for the platform SHA-pin-policy breakage). Three accommodations existed solely for the tag pins and are now obsolete:sha_pinning_requiredActions policy is disabled (the documented "repo policy exception"). It can be re-enabled — declaratively viadevantler-tech/.githubdeploy/ where possible.actions/unpinned-tagexcluded (.github/workflows/active-codeql.yaml+.github/codeql/codeql-config.yml) because that query flagged the intentional tag pins. The exclusion can be dropped (or the repo returned to default setup).zizmorby-ownerunpinned-usesallowance for first-party tag refs can be tightened.Proposal. After the SHA-pin PR merges and the next release ships: re-enable the repo policy, drop the CodeQL query exclusion, tighten zizmor config. Also verify consumers (platform first) pick up the released SHA bump via Renovate/Dependabot so their scheduled workflows go green.
Acceptance criteria.
sha_pinning_requiredenabled on devantler-tech/actions (declarative where the tooling allows)actions/unpinned-tagexclusion removed and CodeQL greenUpdate Agent Skills+TODOsscheduled runs green on the new release