build(deps): bump rojopolis/spellcheck-github-actions from 0.60.0 to 0.61.0#21160
Conversation
Bumps [rojopolis/spellcheck-github-actions](https://github.com/rojopolis/spellcheck-github-actions) from 0.60.0 to 0.61.0. - [Release notes](https://github.com/rojopolis/spellcheck-github-actions/releases) - [Changelog](https://github.com/rojopolis/spellcheck-github-actions/blob/master/CHANGELOG.md) - [Commits](rojopolis/spellcheck-github-actions@0.60.0...0.61.0) --- updated-dependencies: - dependency-name: rojopolis/spellcheck-github-actions dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
📝 WalkthroughWalkthroughThe spellcheck GitHub Actions step in the pull request checks workflow is updated from ChangesSpellcheck Action Version Bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~1 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pull-request-checks.yaml:
- Line 39: The rojopolis/spellcheck-github-actions action is pinned to a version
tag (0.61.0) rather than a specific commit SHA. If your project decides to
implement commit SHA pinning for enhanced security, understand that this change
affects all GitHub actions across the entire repository (such as
actions/checkout and pnpm/action-setup), so it should be coordinated as a
repository-wide update using automation tools like Dependabot or ratchet rather
than addressing individual actions in separate PRs. For this PR, following the
established repository pattern of version tag pinning is acceptable; no change
is required unless implementing a full repository-wide SHA pinning strategy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 80dcb5ed-ae10-4af8-9cb1-70ed7a41e84e
📒 Files selected for processing (1)
.github/workflows/pull-request-checks.yaml
|
|
||
| echo "files=${files}" >> $GITHUB_ENV | ||
| - uses: rojopolis/spellcheck-github-actions@0.60.0 | ||
| - uses: rojopolis/spellcheck-github-actions@0.61.0 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🌐 Web query:
GitHub Actions best practices pin commit hash vs version tag security
💡 Result:
The security best practice for GitHub Actions is to pin every third-party action to a full-length commit SHA (a 40-character hash) rather than a version tag or branch name [1][2][3]. Why Pinning by SHA is Required Version tags (e.g., v1, v4.2.1) and branch references (e.g., main) are mutable pointers in Git [4][5][6]. A repository maintainer—or a malicious actor who gains unauthorized access to the action's repository—can move a tag to point to a different, potentially malicious commit at any time [1][2][5]. Because GitHub Actions resolves these references at runtime, your workflows will automatically execute the new code without any changes to your own YAML files [4][5][6]. This vulnerability has been exploited in multiple real-world supply chain attacks where attackers retargeted tags to inject malware into downstream workflows [5][6]. Using a full-length commit SHA creates an immutable reference [1][7][8]. Once pinned, your workflow will always execute the exact code you audited, regardless of changes made to the upstream repository's tags or branches [4][9][7]. Recommended Workflow Implementation To maintain readability and simplify updates while enforcing security, use the following pattern [4][8][3]: - uses: actions/checkout@b4ffde6 # v4.1.1 By appending the original version tag as a comment, you preserve human-readable information that automated tools (such as Dependabot or Renovate) can use to identify which version the SHA corresponds to and suggest updates [4][10][3]. Scaling and Enforcement - Automation: Do not manage pins manually. Use tools like pinact, ratchet, or Renovate's preset (helpers:pinGitHubActionDigestsToSemver) to automatically convert and update your action references [4][2][10][6]. - Policy Enforcement: GitHub allows administrators to enforce full commit SHA pinning at both the organization and repository levels [1][7][2]. When this policy is enabled, any workflow using a tag or branch reference will fail, ensuring that all dependencies in the organization meet the security standard [7][2]. - Hidden Dependencies: Note that pinning the top-level action does not guarantee that the code itself is immutable if the action internally executes other unpinned sub-actions, external scripts, or pulls dynamic dependencies (e.g., Docker images tagged as latest) [2]. Audit third-party actions for these behaviors where possible [2][3]. Top Results: [1][4][2][5][3]
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/
- 3: https://secure-pipelines.com/ci-cd-security/github-actions-security-cheat-sheet/
- 4: https://safeguard.sh/resources/blog/github-actions-pinning-sha-vs-tag
- 5: https://safeguard.sh/resources/blog/github-action-tag-redirect-imposter-commit-may-2026
- 6: https://nefariousplan.com/posts/tj-actions-mutable-tags-were-always-a-lie
- 7: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 8: https://nearform.com/insights/why-you-should-pin-your-github-actions-by-commit-hash/
- 9: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 10: https://emmer.dev/blog/pin-your-github-actions-to-protect-against-mutability/
🌐 Web query:
rojopolis/spellcheck-github-actions v0.61.0 release commit hash
💡 Result:
As of June 15, 2026, version 0.61.0 of the rojopolis/spellcheck-github-actions repository has not been released [1]. The most recent version documented in the repository's official changelog and release history is version 0.60.0, which was released on March 14, 2026 [2][1]. Consequently, no commit hash exists for a v0.61.0 release [1].
Citations:
- 1: https://github.com/rojopolis/spellcheck-github-actions/blob/master/CHANGELOG.md
- 2: https://github.com/rojopolis/spellcheck-github-actions
🏁 Script executed:
# Check if there are any GitHub Actions security policies in the repository
find .github -name "*.yaml" -o -name "*.yml" | head -20Repository: PipedreamHQ/pipedream
Length of output: 753
🏁 Script executed:
# Look for any documentation or guidelines about action pinning in the repo
find . -maxdepth 2 -name "CONTRIBUTING.md" -o -name "README.md" -o -name "SECURITY.md" | xargs grep -l "action\|pin\|hash" 2>/dev/null || echo "No matching docs found"Repository: PipedreamHQ/pipedream
Length of output: 146
🏁 Script executed:
# Check the actual content of the pull-request-checks.yaml file around line 39
cat -n .github/workflows/pull-request-checks.yaml | sed -n '35,45p'Repository: PipedreamHQ/pipedream
Length of output: 399
🏁 Script executed:
# Check git history to see what version was actually in the file before
git log --oneline -n 20 -- .github/workflows/pull-request-checks.yaml || echo "Git history not available"Repository: PipedreamHQ/pipedream
Length of output: 129
🏁 Script executed:
# Check if there are any other references to v0.61.0 in the codebase
rg "0\.61\.0" .github/Repository: PipedreamHQ/pipedream
Length of output: 163
🏁 Script executed:
# Look at the git diff to see what version was being changed from
git show --stat -- .github/workflows/pull-request-checks.yaml | head -50 || echo "Cannot show git diff"Repository: PipedreamHQ/pipedream
Length of output: 1104
🏁 Script executed:
# Check if the repository has any GitHub Actions or security policies
find . -name ".github" -type d -exec ls -la {} \; 2>/dev/null | head -20Repository: PipedreamHQ/pipedream
Length of output: 758
🏁 Script executed:
# Check dependabot configuration for action pinning settings
cat .github/dependabot.yml | grep -A 20 "version-update-strategy\|pinning\|allow" || echo "No pinning config found"Repository: PipedreamHQ/pipedream
Length of output: 89
🏁 Script executed:
# Verify if there are organization-level action security policies documented
grep -r "pin.*action\|action.*pin\|commit.*sha\|SHA" .github/ --include="*.md" --include="*.yaml" --include="*.yml" 2>/dev/null | head -10 || echo "No action pinning policy docs found"Repository: PipedreamHQ/pipedream
Length of output: 954
🏁 Script executed:
# Check if the repository has any other actions using commit SHA pinning
grep -r "uses:.*@[a-f0-9]\{40\}" .github/workflows/ --include="*.yaml" --include="*.yml" || echo "No SHA-pinned actions found"Repository: PipedreamHQ/pipedream
Length of output: 93
🏁 Script executed:
# Check the current pattern used in workflows
grep "uses:" .github/workflows/*.yaml | head -20Repository: PipedreamHQ/pipedream
Length of output: 1661
Consider pinning this action to a commit SHA for enhanced security, though this would require a repository-wide update.
GitHub security best practices recommend pinning actions to a specific commit SHA rather than version tags, as version tags are mutable and could be re-tagged by maintainers or attackers. However, this repository currently uses version tags consistently across all workflows (see actions/checkout@v6, pnpm/action-setup@v5.0.0, etc.), and no commit SHA pinning is currently in place.
This PR follows the established pattern. If your project wants to adopt SHA pinning, it should be done as a coordinated repository-wide change using automation (such as Dependabot with a pinning strategy or tools like ratchet), rather than on a per-action basis.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pull-request-checks.yaml at line 39, The
rojopolis/spellcheck-github-actions action is pinned to a version tag (0.61.0)
rather than a specific commit SHA. If your project decides to implement commit
SHA pinning for enhanced security, understand that this change affects all
GitHub actions across the entire repository (such as actions/checkout and
pnpm/action-setup), so it should be coordinated as a repository-wide update
using automation tools like Dependabot or ratchet rather than addressing
individual actions in separate PRs. For this PR, following the established
repository pattern of version tag pinning is acceptable; no change is required
unless implementing a full repository-wide SHA pinning strategy.
…heck-github-actions-0.61.0
…heck-github-actions-0.61.0
Bumps rojopolis/spellcheck-github-actions from 0.60.0 to 0.61.0.
Release notes
Sourced from rojopolis/spellcheck-github-actions's releases.
Changelog
Sourced from rojopolis/spellcheck-github-actions's changelog.
... (truncated)
Commits
ca94733Merge pull request #353 from rojopolis/release_0.61.0fcd939dPotential fix for pull request findingd472ce6Potential fix for pull request finding484a1f2Preparing release for 0.61.0 and working on using claude for release preparation5af1527Merge pull request #351 from rojopolis/dependabot/github_actions/docker/setup...96a2036Merge pull request #352 from rojopolis/dependabot/github_actions/actions/chec...8f52249Bump actions/checkout from 6.0.2 to 6.0.35cff951Bump docker/setup-qemu-action from 4.0.0 to 4.1.081db2e8Merge pull request #350 from rojopolis/dependabot/github_actions/docker/login...bc10c5eMerge pull request #347 from rojopolis/dependabot/github_actions/docker/build...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit