Enable immutable releases for supply chain security (#256) (#258)

MishaKav · claude · web-flow · commit 6b219eafc709 · 2026-03-13T22:04:03.000+02:00
* Enable immutable releases for supply chain security (#256) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Harden update-main-version workflow inputs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml
@@ -0,0 +1,16 @@
+name: Publish Immutable Action Version
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/publish-immutable-action@v0.0.4
diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml
@@ -0,0 +1,35 @@
+name: Update Main Version
+run-name: Move ${{ inputs.major_version }} to ${{ inputs.target }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: The tag or reference to use
+        required: true
+      major_version:
+        type: choice
+        description: The major version to update
+        options:
+          - v1
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Tag new target
+        env:
+          MAJOR_VERSION: ${{ inputs.major_version }}
+          TARGET: ${{ inputs.target }}
+        run: git tag -f "$MAJOR_VERSION" "$TARGET"
+
+      - name: Push new tag
+        env:
+          MAJOR_VERSION: ${{ inputs.major_version }}
+        run: git push origin "$MAJOR_VERSION" --force
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog of the Pytest Coverage Comment
 
+## [Pytest Coverage Comment 1.7.0](https://github.com/MishaKav/pytest-coverage-comment/tree/v1.7.0)
+
+**Release Date:** 2026-03-13
+
+#### Changes
+
+- enable immutable releases for supply chain security (#256)
+- bump `flatted` from 3.3.3 to 3.4.1 to fix security vulnerability
+
+**Note:** No changes to action inputs, outputs, or behavior. This improves release security following [GitHub's immutable releases](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) feature.
+
 ## [Pytest Coverage Comment 1.6.0](https://github.com/MishaKav/pytest-coverage-comment/tree/v1.6.0)
 
 **Release Date:** 2026-03-06
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pytest-coverage-comment",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "Comments a pull request with the pytest code coverage badge, full report and tests summary",
   "author": "Misha Kav",
   "license": "MIT",
@@ -29,7 +29,6 @@
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "bump-version": "npm version patch",
-    "update-v1-tag": "git tag v1 -f && git push origin v1 -f",
     "all": "npm run typecheck && npm run lint && npm run format && npm run test && npm run build"
   },
   "dependencies": {
