Skip to content

build(deps): bump rojopolis/spellcheck-github-actions from 0.60.0 to 0.61.0#21160

Merged
ashwins01 merged 3 commits into
masterfrom
dependabot/github_actions/rojopolis/spellcheck-github-actions-0.61.0
Jun 30, 2026
Merged

build(deps): bump rojopolis/spellcheck-github-actions from 0.60.0 to 0.61.0#21160
ashwins01 merged 3 commits into
masterfrom
dependabot/github_actions/rojopolis/spellcheck-github-actions-0.61.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps rojopolis/spellcheck-github-actions from 0.60.0 to 0.61.0.

Release notes

Sourced from rojopolis/spellcheck-github-actions's releases.

0.61.0

What's Changed

Full Changelog: rojopolis/spellcheck-github-actions@0.60.0...0.61.0

Changelog

Sourced from rojopolis/spellcheck-github-actions's changelog.

0.61.0, 2026-06-14, minor feature release, update not required

  • Docker based image updated for Python 3.14.5 slim trixie via PR #344 from Dependabot.

0.60, 2026-03-14, minor feature release, update not required

  • Docker based image updated for Python 3.14.3 slim trixie via PR #325 from Dependabot.

  • Cleaned up the error messaging, to address issue #328 from @​akohout-hai, the error message is now more correct, but not improved in general

0.59.0, 2026-03-02, feature release, update recommended

  • Improvements have been added to the docker entrypoint, based on a PR from @​akohout-hai which fixes an issue with handling of spaces in files names and directories, see PR #322 for details. This is his first contribution to the project and I want to thank him for his contribution, which is highly appreciated.

  • Docker based image updated to Python 3.14.3 slim trixie via PR #320 from Dependabot.

0.58.0, 2026-01-20, security release, update not required

0.57.0, 2026-01-14, maintenance release, update not required

  • Docker based image updated to Python 3.14.2 slim trixie via PR #310 from Dependabot. The version is the same, the image has had updates.

0.56.0, 2025-12-27, feature and maintenance release, update not required

0.55.0, 2025-11-27, maintenance release, update not required

  • Via an issue #293 from @​shoverbj, an update to the core component PySpelling from version 2.12.0 to version 2.12.1 was made, this allows for use of large dictionaries with Aspell

0.54.0, 2025-11-05, feature release, update not required

0.53.0, 2025-10-25, maintenance release, update not required

  • Docker image updated to Python 3.14.0 trixie slim Release notes for Python 3.14.0, this originated from the PR mentioned below, however updated to Trixie from Bookworm and as always the slim variant is used

  • Bumped the requirement for cython to 3.0.11 or above, addressing a build issue with lxml, located when testing the PR : #274 from @​dependabot, the above update of Python

  • In general the Docker build file had a few updates since the above changes required some tweaking of the Dockerfile

    • Order of installation of dependencies adjusted to ensure that lxml can build correctly
    • Installation of:

... (truncated)

Commits
  • ca94733 Merge pull request #353 from rojopolis/release_0.61.0
  • fcd939d Potential fix for pull request finding
  • d472ce6 Potential fix for pull request finding
  • 484a1f2 Preparing release for 0.61.0 and working on using claude for release preparation
  • 5af1527 Merge pull request #351 from rojopolis/dependabot/github_actions/docker/setup...
  • 96a2036 Merge pull request #352 from rojopolis/dependabot/github_actions/actions/chec...
  • 8f52249 Bump actions/checkout from 6.0.2 to 6.0.3
  • 5cff951 Bump docker/setup-qemu-action from 4.0.0 to 4.1.0
  • 81db2e8 Merge pull request #350 from rojopolis/dependabot/github_actions/docker/login...
  • bc10c5e Merge pull request #347 from rojopolis/dependabot/github_actions/docker/build...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated internal CI/CD tooling version to improve code quality checks.

Bumps [rojopolis/spellcheck-github-actions](https://github.com/rojopolis/spellcheck-github-actions) from 0.60.0 to 0.61.0.
- [Release notes](https://github.com/rojopolis/spellcheck-github-actions/releases)
- [Changelog](https://github.com/rojopolis/spellcheck-github-actions/blob/master/CHANGELOG.md)
- [Commits](rojopolis/spellcheck-github-actions@0.60.0...0.61.0)

---
updated-dependencies:
- dependency-name: rojopolis/spellcheck-github-actions
  dependency-version: 0.61.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 15, 2026
@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
pipedream-docs-redirect-do-not-edit Ignored Ignored Jun 30, 2026 2:04pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The spellcheck GitHub Actions step in the pull request checks workflow is updated from rojopolis/spellcheck-github-actions@0.60.0 to @0.61.0. No other workflow logic, jobs, or steps are modified.

Changes

Spellcheck Action Version Bump

Layer / File(s) Summary
Spellcheck action version bump
.github/workflows/pull-request-checks.yaml
Action reference for the Markdown spellcheck step bumped from 0.60.0 to 0.61.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is comprehensive and covers the dependency update details, but does not follow the repository's required template structure with sections like Summary, Checklist, Versioning, etc. Fill out the template with a Summary section describing the change and complete the Checklist items (particularly noting that this is a workflow dependency update, not a versioned component).
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the primary change: a dependency version bump of the spellcheck GitHub Action from 0.60.0 to 0.61.0.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/rojopolis/spellcheck-github-actions-0.61.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pull-request-checks.yaml:
- Line 39: The rojopolis/spellcheck-github-actions action is pinned to a version
tag (0.61.0) rather than a specific commit SHA. If your project decides to
implement commit SHA pinning for enhanced security, understand that this change
affects all GitHub actions across the entire repository (such as
actions/checkout and pnpm/action-setup), so it should be coordinated as a
repository-wide update using automation tools like Dependabot or ratchet rather
than addressing individual actions in separate PRs. For this PR, following the
established repository pattern of version tag pinning is acceptable; no change
is required unless implementing a full repository-wide SHA pinning strategy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 80dcb5ed-ae10-4af8-9cb1-70ed7a41e84e

📥 Commits

Reviewing files that changed from the base of the PR and between 9cd68ec and f85c141.

📒 Files selected for processing (1)
  • .github/workflows/pull-request-checks.yaml


echo "files=${files}" >> $GITHUB_ENV
- uses: rojopolis/spellcheck-github-actions@0.60.0
- uses: rojopolis/spellcheck-github-actions@0.61.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🌐 Web query:

GitHub Actions best practices pin commit hash vs version tag security

💡 Result:

The security best practice for GitHub Actions is to pin every third-party action to a full-length commit SHA (a 40-character hash) rather than a version tag or branch name [1][2][3]. Why Pinning by SHA is Required Version tags (e.g., v1, v4.2.1) and branch references (e.g., main) are mutable pointers in Git [4][5][6]. A repository maintainer—or a malicious actor who gains unauthorized access to the action's repository—can move a tag to point to a different, potentially malicious commit at any time [1][2][5]. Because GitHub Actions resolves these references at runtime, your workflows will automatically execute the new code without any changes to your own YAML files [4][5][6]. This vulnerability has been exploited in multiple real-world supply chain attacks where attackers retargeted tags to inject malware into downstream workflows [5][6]. Using a full-length commit SHA creates an immutable reference [1][7][8]. Once pinned, your workflow will always execute the exact code you audited, regardless of changes made to the upstream repository's tags or branches [4][9][7]. Recommended Workflow Implementation To maintain readability and simplify updates while enforcing security, use the following pattern [4][8][3]: - uses: actions/checkout@b4ffde6 # v4.1.1 By appending the original version tag as a comment, you preserve human-readable information that automated tools (such as Dependabot or Renovate) can use to identify which version the SHA corresponds to and suggest updates [4][10][3]. Scaling and Enforcement - Automation: Do not manage pins manually. Use tools like pinact, ratchet, or Renovate's preset (helpers:pinGitHubActionDigestsToSemver) to automatically convert and update your action references [4][2][10][6]. - Policy Enforcement: GitHub allows administrators to enforce full commit SHA pinning at both the organization and repository levels [1][7][2]. When this policy is enabled, any workflow using a tag or branch reference will fail, ensuring that all dependencies in the organization meet the security standard [7][2]. - Hidden Dependencies: Note that pinning the top-level action does not guarantee that the code itself is immutable if the action internally executes other unpinned sub-actions, external scripts, or pulls dynamic dependencies (e.g., Docker images tagged as latest) [2]. Audit third-party actions for these behaviors where possible [2][3]. Top Results: [1][4][2][5][3]

Citations:


🌐 Web query:

rojopolis/spellcheck-github-actions v0.61.0 release commit hash

💡 Result:

As of June 15, 2026, version 0.61.0 of the rojopolis/spellcheck-github-actions repository has not been released [1]. The most recent version documented in the repository's official changelog and release history is version 0.60.0, which was released on March 14, 2026 [2][1]. Consequently, no commit hash exists for a v0.61.0 release [1].

Citations:


🏁 Script executed:

# Check if there are any GitHub Actions security policies in the repository
find .github -name "*.yaml" -o -name "*.yml" | head -20

Repository: PipedreamHQ/pipedream

Length of output: 753


🏁 Script executed:

# Look for any documentation or guidelines about action pinning in the repo
find . -maxdepth 2 -name "CONTRIBUTING.md" -o -name "README.md" -o -name "SECURITY.md" | xargs grep -l "action\|pin\|hash" 2>/dev/null || echo "No matching docs found"

Repository: PipedreamHQ/pipedream

Length of output: 146


🏁 Script executed:

# Check the actual content of the pull-request-checks.yaml file around line 39
cat -n .github/workflows/pull-request-checks.yaml | sed -n '35,45p'

Repository: PipedreamHQ/pipedream

Length of output: 399


🏁 Script executed:

# Check git history to see what version was actually in the file before
git log --oneline -n 20 -- .github/workflows/pull-request-checks.yaml || echo "Git history not available"

Repository: PipedreamHQ/pipedream

Length of output: 129


🏁 Script executed:

# Check if there are any other references to v0.61.0 in the codebase
rg "0\.61\.0" .github/

Repository: PipedreamHQ/pipedream

Length of output: 163


🏁 Script executed:

# Look at the git diff to see what version was being changed from
git show --stat -- .github/workflows/pull-request-checks.yaml | head -50 || echo "Cannot show git diff"

Repository: PipedreamHQ/pipedream

Length of output: 1104


🏁 Script executed:

# Check if the repository has any GitHub Actions or security policies
find . -name ".github" -type d -exec ls -la {} \; 2>/dev/null | head -20

Repository: PipedreamHQ/pipedream

Length of output: 758


🏁 Script executed:

# Check dependabot configuration for action pinning settings
cat .github/dependabot.yml | grep -A 20 "version-update-strategy\|pinning\|allow" || echo "No pinning config found"

Repository: PipedreamHQ/pipedream

Length of output: 89


🏁 Script executed:

# Verify if there are organization-level action security policies documented
grep -r "pin.*action\|action.*pin\|commit.*sha\|SHA" .github/ --include="*.md" --include="*.yaml" --include="*.yml" 2>/dev/null | head -10 || echo "No action pinning policy docs found"

Repository: PipedreamHQ/pipedream

Length of output: 954


🏁 Script executed:

# Check if the repository has any other actions using commit SHA pinning
grep -r "uses:.*@[a-f0-9]\{40\}" .github/workflows/ --include="*.yaml" --include="*.yml" || echo "No SHA-pinned actions found"

Repository: PipedreamHQ/pipedream

Length of output: 93


🏁 Script executed:

# Check the current pattern used in workflows
grep "uses:" .github/workflows/*.yaml | head -20

Repository: PipedreamHQ/pipedream

Length of output: 1661


Consider pinning this action to a commit SHA for enhanced security, though this would require a repository-wide update.

GitHub security best practices recommend pinning actions to a specific commit SHA rather than version tags, as version tags are mutable and could be re-tagged by maintainers or attackers. However, this repository currently uses version tags consistently across all workflows (see actions/checkout@v6, pnpm/action-setup@v5.0.0, etc.), and no commit SHA pinning is currently in place.

This PR follows the established pattern. If your project wants to adopt SHA pinning, it should be done as a coordinated repository-wide change using automation (such as Dependabot with a pinning strategy or tools like ratchet), rather than on a per-action basis.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pull-request-checks.yaml at line 39, The
rojopolis/spellcheck-github-actions action is pinned to a version tag (0.61.0)
rather than a specific commit SHA. If your project decides to implement commit
SHA pinning for enhanced security, understand that this change affects all
GitHub actions across the entire repository (such as actions/checkout and
pnpm/action-setup), so it should be coordinated as a repository-wide update
using automation tools like Dependabot or ratchet rather than addressing
individual actions in separate PRs. For this PR, following the established
repository pattern of version tag pinning is acceptable; no change is required
unless implementing a full repository-wide SHA pinning strategy.

@ashwins01 ashwins01 merged commit 9ca6e64 into master Jun 30, 2026
5 checks passed
@ashwins01 ashwins01 deleted the dependabot/github_actions/rojopolis/spellcheck-github-actions-0.61.0 branch June 30, 2026 14:05
@github-project-automation github-project-automation Bot moved this from Ready for PR Review to Done in Component (Source and Action) Backlog Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code User submitted Submitted by a user

Development

Successfully merging this pull request may close these issues.

3 participants