Skip to content

Closes #133: Pin all third-party GitHub actions to specific revision hashes, enable dependabot updates for github-actions. #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joeparsons wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Closes #133: Pin all third-party GitHub actions to specific revision hashes, enable dependabot updates for github-actions. #134

joeparsons wants to merge 2 commits into from

Conversation

@joeparsons
Copy link
Member

@joeparsons joeparsons commented Nov 4, 2025

Description

  • Pins all third-party GitHub actions in workflows to specific revision hashes with a human readable version comment that should be compatible with dependabot.
    • This will make using pinned versions of third-party actions a more manageable and improve the developer UX for reviewing dependadabot PRs that update these.
  • Enables dependabot updates for github-actions with the cooldown option enabled to require new versions be at least 5 days old before dependabot will create PR to update them (to further enhance supply chain security).

This PR should also be backported to the 1.x branch.

Related issues

Closes #133

@joeparsons
Closes #133: Pin all third-party GitHub actions to specific revision …
5def046 
…hashes, enable dependabot updates for github-actions.
@joeparsons joeparsons self-assigned this Nov 4, 2025
@joeparsons joeparsons added the enhancement New feature or request label Nov 4, 2025
@joeparsons joeparsons linked an issue Nov 4, 2025 that may be closed by this pull request
Pin third-party actions to specific releases in GitHub Actions workflows #133
Open
@joeparsons joeparsons added dependencies Pull requests that update a dependency file ci Continuous integration / automation labels Nov 4, 2025
@joeparsons joeparsons requested a review from a team November 4, 2025 17:48
@joeparsons joeparsons added the backport Changes to be back-ported to previous development or release branch(es) label Nov 4, 2025
@joeparsons joeparsons marked this pull request as ready for review November 4, 2025 17:51
@mmunro-ltrr
Copy link
Member

mmunro-ltrr commented Jan 14, 2026

Should some of the versions be bumped to the latest ones? It looks like other repositories had more recent versions of some Actions.

@joeparsons
Copy link
Member Author

joeparsons commented Jan 14, 2026
edited
Loading

Should some of the versions be bumped to the latest ones? It looks like other repositories had more recent versions of some Actions.

I considered doing that but was thinking we can just use the PRs dependabot will create to update them after this is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tadean tadean tadean approved these changes

Assignees

@joeparsons joeparsons

Labels

backport Changes to be back-ported to previous development or release branch(es) ci Continuous integration / automation dependencies Pull requests that update a dependency file enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pin third-party actions to specific releases in GitHub Actions workflows

4 participants

@joeparsons @mmunro-ltrr @tadean