Skip to content

Pin GH Actions version comments to exact semver#89

Merged
MariusVolkhart merged 1 commit into
mainfrom
mv/fullVersions
Jun 3, 2026
Merged

Pin GH Actions version comments to exact semver#89
MariusVolkhart merged 1 commit into
mainfrom
mv/fullVersions

Conversation

@MariusVolkhart
Copy link
Copy Markdown
Member

@MariusVolkhart MariusVolkhart commented Jun 3, 2026

Summary

  • Replaces floating major-version comments (# v6, # v5, # v7) with exact patch versions (# v6.0.2, # v5.2.0, etc.) on all pinned action SHAs
  • Prevents zizmor ref-confusion false window: when a floating tag advances between Renovate PRs, the comment becomes stale and zizmor flags the mismatch
  • Renovate preserves full semver comments going forward, so future digest-update PRs will also carry the correct version

🤖 Generated with Claude Code

@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented Jun 3, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 3, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/publish.yml Fixed
mbayerPK
mbayerPK reviewed Jun 3, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link
Copy Markdown
Collaborator

@mbayerPK mbayerPK Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed these are only comment changes but not hash changes on the action itself- does something from github pipelines take the commented version into account as well?

Copy link
Copy Markdown
Member Author

@MariusVolkhart MariusVolkhart Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, a weird interaction of zizmor, GitHub security, and Renovate

@MariusVolkhart @claude
chore: pin GH Actions version comments to exact semver
77ca81b 
Floating major-version comments (# v6) become stale when the tag
advances between Renovate PRs. Zizmor's ref-confusion audit flags the
mismatch. Full patch versions (# v6.0.2) keep comments accurate and
make Renovate track exact versions going forward.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@MariusVolkhart MariusVolkhart merged commit 0639702 into main Jun 3, 2026
7 checks passed
@MariusVolkhart MariusVolkhart deleted the mv/fullVersions branch June 3, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbayerPK mbayerPK mbayerPK approved these changes

@ethan-wrasman-pkware ethan-wrasman-pkware Awaiting requested review from ethan-wrasman-pkware ethan-wrasman-pkware is a code owner

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MariusVolkhart @github-advanced-security @mbayerPK