Skip to content

Pin GitHub Actions with SHAs and configure Dependabot#381

Closed
koji-1009 wants to merge 3 commits intosubosito:mainfrom
koji-1009:dependabots
Closed

Pin GitHub Actions with SHAs and configure Dependabot#381
koji-1009 wants to merge 3 commits intosubosito:mainfrom
koji-1009:dependabots

Conversation

@koji-1009
Copy link
Contributor

@koji-1009 koji-1009 commented Feb 22, 2026
edited by coderabbitai bot
Loading

Hello. This PR improves security and maintenance for GitHub Actions.

  • Pin action references to full commit SHAs
  • Configure Dependabot for github-actions updates

Summary by CodeRabbit

  • Chores
    • Added a Dependabot configuration to automate weekly updates for workflow dependencies, limit open update PRs, and apply a consistent labeling strategy.
    • Pinned workflow tooling and caching actions to fixed, specific revisions to ensure reproducible builds and consistent behavior across runs.

@coderabbitai
Copy link

coderabbitai bot commented Feb 22, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

📝 Walkthrough

Walkthrough

Adds a Dependabot config to automate GitHub Actions updates and pins GitHub Action references to specific commit hashes in workflow and action metadata files for deterministic resolution (no runtime logic or public API changes).

Changes

Cohort / File(s) Summary
Dependabot Configuration
​.github/dependabot.yml		 Adds Dependabot config targeting the github-actions ecosystem at the repo root, with weekly updates, max 10 open PRs, and dependabot label.
Workflow Action Pinning
​.github/workflows/workflow.yaml		 Replaces public action tags with specific commit-hash references for actions used in workflow steps (e.g., actions/checkout, ludeeus/action-shellcheck).
Action Metadata Pinning
action.yaml		 Replaces actions/cache@v4 occurrences with a specific commit hash (actions/cache@0057852b...) for cache-related steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through yarn and YAML, neat and quick,
Pinning hashes, one by one, a tidy trick.
Dependabot hums its weekly tune,
My builds sit calm beneath the moon. ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the two main changes: pinning GitHub Actions to specific SHAs and configuring Dependabot for automated dependency updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 22, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/workflow.yaml (1)

22-22: # master comment on ludeeus/action-shellcheck carries no version/date signal.

A bare # master doesn't help future readers or Dependabot reason about when this SHA was captured. If a semver tag exists, prefer # vX.Y.Z; if not, appending an ISO date (e.g. # master @ 2026-01-xx) makes the staleness visible.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/workflow.yaml at line 22, The workflow line using "uses:
ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca" currently
has an uninformative comment "# master"; update that comment to convey a
meaningful version or capture date so future readers/Dependabot can reason about
staleness—for example, replace "# master" with a semver tag like "# vX.Y.Z" if a
release tag exists for ludeeus/action-shellcheck, or append an ISO date like "#
master @ 2026-01-xx" to indicate when this SHA was recorded; locate the entry
containing "uses:
ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca" and adjust
the trailing comment accordingly.
.github/dependabot.yml (1)

5-7: Consider adding a commit-message prefix to align with repo conventions.

Without commit-message configuration, Dependabot will use its default message format. Adding a prefix keeps update commits consistent with any conventional-commit style in use.

♻️ Suggested addition 
     schedule:
       interval: weekly
+    commit-message:
+      prefix: chore
     open-pull-requests-limit: 10
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 5 - 7, Add a commit-message
configuration to the Dependabot update block so update commits follow the repo's
conventional-commit style: next to the existing schedule and
open-pull-requests-limit keys add a commit-message mapping (e.g.,
commit-message: { prefix: "chore(deps)" } or include both prefix and
prefix-development) so Dependabot uses "chore(deps): ..." as the commit title
instead of its default format; update the block that currently contains schedule
and open-pull-requests-limit to include this new commit-message key.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@action.yaml`:
- Line 119: Update release notes and documentation to call out the minimum
GitHub Actions Runner requirement for the pinned actions/cache release: the
referenced pinned SHA (cdf6c1fa76f9f475f3d7449005a359c84ca0f306) which maps to
actions/[email protected] (actions/cache@v5) requires Node.js 24 and a minimum runner
version of 2.327.1; add a clear note near the use of actions/[email protected] (and
any similar pinned entries) stating that self-hosted runners below 2.327.1 will
fail and provide guidance to upgrade runners or pin to an earlier actions/cache
major version.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 5-7: Add a commit-message configuration to the Dependabot update
block so update commits follow the repo's conventional-commit style: next to the
existing schedule and open-pull-requests-limit keys add a commit-message mapping
(e.g., commit-message: { prefix: "chore(deps)" } or include both prefix and
prefix-development) so Dependabot uses "chore(deps): ..." as the commit title
instead of its default format; update the block that currently contains schedule
and open-pull-requests-limit to include this new commit-message key.

In @.github/workflows/workflow.yaml:
- Line 22: The workflow line using "uses:
ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca" currently
has an uninformative comment "# master"; update that comment to convey a
meaningful version or capture date so future readers/Dependabot can reason about
staleness—for example, replace "# master" with a semver tag like "# vX.Y.Z" if a
release tag exists for ludeeus/action-shellcheck, or append an ISO date like "#
master @ 2026-01-xx" to indicate when this SHA was recorded; locate the entry
containing "uses:
ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca" and adjust
the trailing comment accordingly.

@koji-1009
Copy link
Contributor Author

koji-1009 commented Mar 1, 2026

In #371:

You are welcome to submit a PR to do so as well

This PR pins action references to commit SHAs and adds a Dependabot configuration to keep them updated automatically. Commit hash pinning and Dependabot work well together — Dependabot understands SHA-pinned actions and will propose updates with the correct new hash and version comment.

For example, once this is merged, Dependabot will automatically create a PR to update actions/cache from v4.3.0 to v5 latest.

@yurikoles
Copy link

yurikoles commented Mar 1, 2026

In #371:

You are welcome to submit a PR to do so as well

This PR pins action references to commit SHAs and adds a Dependabot configuration to keep them updated automatically.

This is a speculation, in the very next sentence of the very same message you're citing, this repo's maintainer argues against SHA pinning. Let me cite both sentences that came in a row in this message:

This issue could be alleviated by introducing Renovate or Dependabot

You are welcome to submit a PR to do so as well, and promptly review future PRs from such a bot.

It's not exactly a lot of work, but it is still a thing that has to be done, and as opposed to normal maintenance of this action (which I enjoy) – bumping SHAs (or merging dependabot PRs) for each update of actions/cache is not something I enjoy doing for free, in my free time.

So the maintainer is clear that he doesn't mind dependabot auto-bumping new versions of actions, but he is still against SHA pinning.

@koji-1009
Copy link
Contributor Author

koji-1009 commented Mar 1, 2026

OK. I close this PR.

@koji-1009 koji-1009 closed this Mar 1, 2026
@koji-1009 koji-1009 deleted the dependabots branch March 1, 2026 22:35
@bartekpacia bartekpacia mentioned this pull request Mar 25, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@koji-1009 @yurikoles