From 3768f9cb52ad81855c5c6822b8f8fa12b14d1e2b Mon Sep 17 00:00:00 2001 From: Micha Reiser Date: Mon, 17 Mar 2025 08:44:59 +0100 Subject: [PATCH] Instruct Renovate to pin GitHub Actions based on SHA (#16789) ## Summary The intent here is that all actions should be pinned to an immutable SHA (but that Renovate should annotate each SHA with the corresponding SemVer version). See https://github.com/astral-sh/uv/pull/12189 ## Test plan ``` npx --yes --package renovate -- renovate-config-validator npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm warn deprecated rimraf@2.4.5: Rimraf versions prior to v4 are no longer supported npm warn deprecated boolean@3.2.0: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. npm warn deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported INFO: Validating .github/renovate.json5 INFO: Config validated successfully ``` --- .github/renovate.json5 | 11 +++++++++++ .github/workflows/ci.yaml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1d5cb545b8..eb15fa0792 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -40,6 +40,17 @@ enabled: true, }, packageRules: [ + // Pin GitHub Actions to immutable SHAs. + { + matchDepTypes: ["action"], + pinDigests: true, + }, + // Annotate GitHub Actions SHAs with a SemVer version. + { + extends: ["helpers:pinGitHubActionDigests"], + extractVersion: "^(?v?\\d+\\.\\d+\\.\\d+)$", + versioning: "regex:^v?(?\\d+)(\\.(?\\d+)\\.(?\\d+))?$", + }, { // Group upload/download artifact updates, the versions are dependent groupName: "Artifact GitHub Actions dependencies", diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1eb8a5ec70..a3abb70acf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,10 +1,10 @@ name: CI -permissions: { } +permissions: {} on: push: - branches: [ main ] + branches: [main] pull_request: workflow_dispatch: