chore: pin GitHub Actions to SHAs, add dependabot#38
Merged
Conversation
Tag refs are mutable; SHA pins are not. CodeQL flagged "unpinned 3rd-party action" findings 21 + 22 against the docs.yml workflow on PR #32; the same warning applied to every workflow but hadn't been triaged. Pin all sixteen action references across the four workflows to commit SHAs with the resolved version recorded as an inline comment. Action versions captured: - actions/checkout → v6.0.2 - astral-sh/setup-uv → v8.1.0 - cloudflare/wrangler-action → v4.0.0 (bumped from v3) - github/codeql-action → v3.35.4 - actions/upload-artifact → v7.0.1 - actions/download-artifact → v8.0.1 - pypa/gh-action-pypi-publish → release/v1 branch tip - softprops/action-gh-release → v2.6.2 The wrangler-action bump from v3 to v4 is the deliberate move: v4 uses node24, resolving the Node.js 20 deprecation warning that's been firing on every Docs workflow run. v4's only major change is bumping the bundled Wrangler CLI default from v3 to v4, which is transparent to our `pages deploy` invocation. The maintenance pair is .github/dependabot.yml — Dependabot watches the github-actions ecosystem and surfaces version bumps as PRs each month, so SHA-pinning's "no auto-updates" downside gets handled automatically. Monthly cadence keeps PR volume bounded; action releases cluster around new runner features and platform updates, so a month is long enough for batching without missing real security advisories. After merge, the open CodeQL findings 21 + 22 on PR #32 should be auto-dismissed once the next CodeQL scan re-runs against the pinned workflows.
There was a problem hiding this comment.
Pull request overview
This PR improves GitHub Actions supply-chain security and maintenance by pinning all third-party Actions to immutable commit SHAs and adding a Dependabot configuration to keep those pins up to date over time.
Changes:
- Pin all
uses:references in CI/Docs/Release/CodeQL workflows to specific commit SHAs with inline version notes. - Bump
cloudflare/wrangler-actionfrom v3 to v4 (Node 24) while also pinning it to a SHA. - Add
.github/dependabot.ymlto checkgithub-actionsupdates monthly.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/release.yml | Replaces tag-based action refs with SHA pins across release/test/publish jobs. |
| .github/workflows/docs.yml | Pins actions to SHAs and updates wrangler-action to v4 (Node 24). |
| .github/workflows/codeql.yml | Pins CodeQL and checkout actions to SHAs to address unpinned-action findings. |
| .github/workflows/ci.yml | Pins checkout and setup-uv actions to SHAs for CI runs. |
| .github/dependabot.yml | Adds monthly Dependabot updates for the github-actions ecosystem. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related security/maintenance moves bundled into one PR per the chore-and-dependabot plan in `openarmature-coord/docs/future-work.md`:
Pin all third-party actions to commit SHAs
Tag refs are mutable; SHAs are not. CodeQL flagged "unpinned 3rd-party action" findings 21 + 22 against `docs.yml` on PR #32; the same warning applied to every workflow but hadn't been triaged.
All sixteen action references across the four workflows now use commit SHAs with the resolved version recorded as an inline comment, e.g.:
```yaml
uses: actions/checkout@de0fac2 # v6.0.2
```
Action versions captured:
wrangler-action v3 → v4 bump (Node 24)
The wrangler-action bump is the deliberate move: v4 uses `node24`, resolving the Node.js 20 deprecation warning that's been firing on every Docs workflow run since shortly after the docs launch. v4's only major change is bumping the bundled Wrangler CLI default from v3 to v4, which is transparent to the `pages deploy site --project-name=openarmature-python-docs` invocation.
This closes the `chore/wrangler-action-node24` follow-up tracked separately in `future-work.md` — folded into this PR per that entry's "probably folds into chore/pin-action-shas" note.
Dependabot config
New `.github/dependabot.yml` watches the `github-actions` ecosystem and surfaces version bumps as PRs monthly. SHA-pinning's "no auto-updates" downside gets handled automatically: each Dependabot PR brings an updated SHA + updated version comment, ready to review-and-merge.
Monthly cadence keeps PR volume bounded; action releases cluster around new GitHub Actions runner features and platform updates, so a month is long enough for batching without missing real security advisories.
Test plan