Skip to content

Pin GitHub Actions to SHAs and standardize the Dependabot config#511

Merged
externl merged 2 commits into
icerpc:mainfrom
externl:dependabot-harden
Jun 29, 2026
Merged

Pin GitHub Actions to SHAs and standardize the Dependabot config#511
externl merged 2 commits into
icerpc:mainfrom
externl:dependabot-harden

Conversation

@externl

@externl externl commented Jun 29, 2026

Copy link
Copy Markdown
Member

Pins every third-party GitHub Action to a full commit SHA (with the version in a trailing comment) and brings the Dependabot config in line with the setup now used across the other repos.

  • Pins all actions across the four workflows.
  • Switches npm, github-actions, and docker to a monthly schedule and drops open-pull-requests-limit.
  • Flattens npm's semver-tiered cooldown to a flat 7-day cooldown and replaces the production/development split with a single catch-all group.
  • Adds a catch-all group to the docker block — it had none, so image updates were arriving one PR each.

Copilot AI review requested due to automatic review settings June 29, 2026 15:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request hardens the repository’s automation by pinning all GitHub Actions to immutable commit SHAs and standardizing the Dependabot configuration to reduce PR noise and align schedules/groups with other repositories.

Changes:

  • Pinned all workflow uses: references to full commit SHAs (with the intended version retained as a trailing comment).
  • Standardized Dependabot update cadence to monthly for npm, GitHub Actions, and Docker with a flat 7-day cooldown.
  • Simplified Dependabot grouping (single catch-all group per ecosystem, including Docker) to consolidate update PRs.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/spellcheck.yaml Pins checkout and cspell-action to full SHAs for deterministic CI.
.github/workflows/node.js.yml Pins checkout and setup-node to full SHAs for deterministic Node CI.
.github/workflows/lint.yml Pins checkout and actions-markdownlint to full SHAs for deterministic linting.
.github/workflows/ci.yml Pins Docker-related actions, deploy action, and cleanup action to full SHAs across CI jobs.
.github/dependabot.yml Aligns schedules/cooldowns and adds catch-all grouping per ecosystem to reduce PR volume.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@externl externl merged commit ebbd5d4 into icerpc:main Jun 29, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants