Skip to content

pinning actions, adding dependabot#14

Merged
Ryiguchi merged 1 commit into
mainfrom
pin-actions-to-sha
Jun 23, 2026
Merged

pinning actions, adding dependabot#14
Ryiguchi merged 1 commit into
mainfrom
pin-actions-to-sha

Conversation

@Ryiguchi

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings June 22, 2026 15:22

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves supply-chain security and maintenance of this repository’s GitHub Actions automation by pinning third-party actions to immutable commit SHAs and introducing Dependabot automation for GitHub Actions updates.

Changes:

  • Pinned GitHub Actions used across workflows and composite actions to specific commit SHAs (with version comments).
  • Standardized action references in test, publish, validation, and deployment automation.
  • Added a .github/dependabot.yml configuration to enable weekly GitHub Actions update PRs (grouped for minor/patch updates).

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
workflows/test-in-parallel.yml Pins all referenced actions (checkout, setup-node, bun/pnpm setup, 1Password, notifications) to SHAs.
workflows/expo-publish-pr.yml Pins checkout, bun setup, caching, expo actions, and discord notification action to SHAs.
actions/healthcheck/action.yml Pins health check and discord notification actions to SHAs.
actions/docker-build/action.yml Pins Docker login/buildx/build-push actions to SHAs.
actions/caprover-setup/action.yml Pins bun setup and discord notification actions to SHAs.
actions/caprover-deploy/action.yml Pins bun setup action to an SHA.
.github/workflows/validate-yaml.yml Pins checkout action to an SHA for YAML/action linting workflow.
.github/workflows/validate-plugins.yml Pins checkout and bun setup actions to SHAs for plugin validation workflow.
.github/dependabot.yml Adds Dependabot configuration to keep GitHub Actions dependencies updated.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ryiguchi Ryiguchi requested a review from robertherber June 22, 2026 15:40
@Ryiguchi Ryiguchi merged commit d346d40 into main Jun 23, 2026
5 checks passed
@Ryiguchi Ryiguchi deleted the pin-actions-to-sha branch June 23, 2026 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants