Skip to content

chore: pin GitHub Actions to SHAs, add dependabot#38

Merged
chris-colinsky merged 1 commit into
mainfrom
chore/pin-action-shas
May 13, 2026
Merged

chore: pin GitHub Actions to SHAs, add dependabot#38
chris-colinsky merged 1 commit into
mainfrom
chore/pin-action-shas

Conversation

@chris-colinsky

Copy link
Copy Markdown
Member

Summary

Two related security/maintenance moves bundled into one PR per the chore-and-dependabot plan in `openarmature-coord/docs/future-work.md`:

Pin all third-party actions to commit SHAs

Tag refs are mutable; SHAs are not. CodeQL flagged "unpinned 3rd-party action" findings 21 + 22 against `docs.yml` on PR #32; the same warning applied to every workflow but hadn't been triaged.

All sixteen action references across the four workflows now use commit SHAs with the resolved version recorded as an inline comment, e.g.:

```yaml
uses: actions/checkout@de0fac2 # v6.0.2
```

Action versions captured:

Action Version
`actions/checkout` v6.0.2
`astral-sh/setup-uv` v8.1.0
`cloudflare/wrangler-action` v4.0.0 (bumped from v3)
`github/codeql-action` v3.35.4
`actions/upload-artifact` v7.0.1
`actions/download-artifact` v8.0.1
`pypa/gh-action-pypi-publish` release/v1 branch tip
`softprops/action-gh-release` v2.6.2

wrangler-action v3 → v4 bump (Node 24)

The wrangler-action bump is the deliberate move: v4 uses `node24`, resolving the Node.js 20 deprecation warning that's been firing on every Docs workflow run since shortly after the docs launch. v4's only major change is bumping the bundled Wrangler CLI default from v3 to v4, which is transparent to the `pages deploy site --project-name=openarmature-python-docs` invocation.

This closes the `chore/wrangler-action-node24` follow-up tracked separately in `future-work.md` — folded into this PR per that entry's "probably folds into chore/pin-action-shas" note.

Dependabot config

New `.github/dependabot.yml` watches the `github-actions` ecosystem and surfaces version bumps as PRs monthly. SHA-pinning's "no auto-updates" downside gets handled automatically: each Dependabot PR brings an updated SHA + updated version comment, ready to review-and-merge.

Monthly cadence keeps PR volume bounded; action releases cluster around new GitHub Actions runner features and platform updates, so a month is long enough for batching without missing real security advisories.

Test plan

  • `grep -rE "uses:.*@v[0-9]" .github/workflows/` returns no results — all tag refs replaced.
  • Every SHA pin carries a `# v` comment for human readability.
  • CI workflow runs on this PR (every action is exercised on PR merges + pushes).
  • CodeQL workflow run on this PR completes; findings 21 + 22 dismissed in a follow-up scan once the pinned workflows ship.
  • First Dependabot run picks up the github-actions ecosystem (visible in the Insights → Dependency graph → Dependabot tab once the config lands on main).
  • After merge, the next Docs workflow run on main deploys cleanly under wrangler-action v4 (verified by deployment status + site continues to serve at https://openarmature.ai/).
  • Release workflow exercised on the next release tag (not in scope for this PR; the SHA pins are mechanically equivalent to the prior tag refs at the versions they resolved to).

Tag refs are mutable; SHA pins are not. CodeQL flagged
"unpinned 3rd-party action" findings 21 + 22 against the
docs.yml workflow on PR #32; the same warning applied to every
workflow but hadn't been triaged. Pin all sixteen action
references across the four workflows to commit SHAs with the
resolved version recorded as an inline comment.

Action versions captured:

- actions/checkout              → v6.0.2
- astral-sh/setup-uv            → v8.1.0
- cloudflare/wrangler-action    → v4.0.0 (bumped from v3)
- github/codeql-action          → v3.35.4
- actions/upload-artifact       → v7.0.1
- actions/download-artifact     → v8.0.1
- pypa/gh-action-pypi-publish   → release/v1 branch tip
- softprops/action-gh-release   → v2.6.2

The wrangler-action bump from v3 to v4 is the deliberate move:
v4 uses node24, resolving the Node.js 20 deprecation warning
that's been firing on every Docs workflow run. v4's only major
change is bumping the bundled Wrangler CLI default from v3 to
v4, which is transparent to our `pages deploy` invocation.

The maintenance pair is .github/dependabot.yml — Dependabot
watches the github-actions ecosystem and surfaces version bumps
as PRs each month, so SHA-pinning's "no auto-updates" downside
gets handled automatically. Monthly cadence keeps PR volume
bounded; action releases cluster around new runner features
and platform updates, so a month is long enough for batching
without missing real security advisories.

After merge, the open CodeQL findings 21 + 22 on PR #32 should
be auto-dismissed once the next CodeQL scan re-runs against
the pinned workflows.
Copilot AI review requested due to automatic review settings May 13, 2026 02:30

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves GitHub Actions supply-chain security and maintenance by pinning all third-party Actions to immutable commit SHAs and adding a Dependabot configuration to keep those pins up to date over time.

Changes:

  • Pin all uses: references in CI/Docs/Release/CodeQL workflows to specific commit SHAs with inline version notes.
  • Bump cloudflare/wrangler-action from v3 to v4 (Node 24) while also pinning it to a SHA.
  • Add .github/dependabot.yml to check github-actions updates monthly.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/release.yml Replaces tag-based action refs with SHA pins across release/test/publish jobs.
.github/workflows/docs.yml Pins actions to SHAs and updates wrangler-action to v4 (Node 24).
.github/workflows/codeql.yml Pins CodeQL and checkout actions to SHAs to address unpinned-action findings.
.github/workflows/ci.yml Pins checkout and setup-uv actions to SHAs for CI runs.
.github/dependabot.yml Adds monthly Dependabot updates for the github-actions ecosystem.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chris-colinsky chris-colinsky merged commit 9aacc34 into main May 13, 2026
10 checks passed
@chris-colinsky chris-colinsky deleted the chore/pin-action-shas branch May 13, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants