Skip to content

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#4444

Open
mahangu wants to merge 2 commits into
trunkfrom
chore/pin-and-enable-dependabot
Open

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#4444
mahangu wants to merge 2 commits into
trunkfrom
chore/pin-and-enable-dependabot

Conversation

@mahangu

@mahangu mahangu commented May 31, 2026

Copy link
Copy Markdown

Two-in-one hardening:

  1. Pin third-party GitHub Actions in this repo to commit SHAs (tag preserved as trailing comment).
  2. Add Dependabot github-actions config (weekly, grouped into actions-minor-patch and actions-major, with cooldown).

Tracking: DEVPROD-1072.

@mahangu
chore: pin third-party GitHub Actions to SHAs + enable Dependabot
84a8a78 
Hardens against supply-chain risk on mutable tags. Dependabot keeps
the pinned SHAs fresh weekly, with major bumps held under cooldown.

Tracking: DEVPROD-1072
Copilot AI review requested due to automatic review settings May 31, 2026 10:26
@mahangu mahangu requested a review from a team as a code owner May 31, 2026 10:26
@mahangu mahangu requested review from kean and removed request for a team May 31, 2026 10:26
@CLAassistant

CLAassistant commented May 31, 2026
edited
Loading

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@dangermattic

dangermattic commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator
1 Warning
⚠️ PR is not assigned to a milestone.

Generated by 🚫 Danger

Copilot AI reviewed May 31, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions supply chain by pinning a third-party action to an immutable commit SHA and adding a Dependabot configuration to keep GitHub Actions dependencies up to date.

Changes:

  • Pin anthropics/claude-code-action to a specific commit SHA (with the original version retained as a comment).
  • Add .github/dependabot.yml to enable weekly, grouped github-actions updates with separate major vs minor/patch groupings.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/claude-review.yml Pins the Claude review action to a commit SHA to reduce the risk of tag drift/supply-chain tampering.
.github/dependabot.yml Enables Dependabot updates for GitHub Actions with grouping to reduce PR noise.

Comment thread .github/workflows/claude-review.yml

- name: PR Review with Progress Tracking
uses: anthropics/claude-code-action@v1
uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1.0.133

@mahangu mahangu Jun 2, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for checking this. Those refs are intentionally outside this PR’s pinning scope: this campaign pins third-party actions, while GitHub-owned actions/* refs and Automattic-owned reusable workflows such as the run-danger.yml ...@v1 ref are treated as first-party. This PR pins the third-party action ref and adds Dependabot coverage for GitHub Actions, so I’m leaving those first-party refs unchanged.

@mahangu mahangu force-pushed the chore/pin-and-enable-dependabot branch from e74fb75 to f1df9d7 Compare June 9, 2026 13:18
@mahangu mahangu added the [Type] Tooling Issues related to tooling: build tools, ruby, scripts, etc. label Jun 10, 2026
kean
kean reviewed Jun 10, 2026
View reviewed changes
Comment thread .github/workflows/claude-review.yml
@kean kean self-requested a review June 19, 2026 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kean kean kean approved these changes

@adimoldovan adimoldovan adimoldovan left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

[Type] Tooling Issues related to tooling: build tools, ruby, scripts, etc.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mahangu @CLAassistant @dangermattic @kean @adimoldovan