File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -301,6 +301,39 @@ jobs:
301301asset (sha256) and fails the install on any mismatch. Set it to `false` only when
302302pinning a release published before checksum assets existed.
303303
304+ # ## Keep the SHA pin fresh automatically
305+
306+ A commit-SHA pin is the most secure, but bumping it by hand is tedious. Let a bot do it
307+ and keep the `# {{ pkg.version }}` comment as the human-readable tracker.
308+
309+ :: : code-group
310+ ` ` ` json [Renovate - renovate.json]
311+ {
312+ "$schema": "https://docs.renovatebot.com/renovate-schema.json",
313+ "extends": ["config:recommended"],
314+ "packageRules": [
315+ {
316+ "matchManagers": ["github-actions"],
317+ "matchPackageNames": ["TypedDevs/bashunit"],
318+ "pinDigests": true
319+ }
320+ ]
321+ }
322+ ` ` `
323+
324+ ` ` ` yaml [Dependabot - .github/dependabot.yml]
325+ version: 2
326+ updates:
327+ - package-ecosystem: github-actions
328+ directory: /
329+ schedule:
330+ interval: weekly
331+ ` ` `
332+ :: :
333+
334+ Renovate updates the pinned SHA and refreshes the trailing `# tag` comment in the same PR.
335+ Dependabot bumps `github-actions` pins on the schedule you set.
336+
304337:: : tip
305338See bashunit's own pipeline for a real example : https://github.com/TypedDevs/bashunit/blob/main/.github/workflows/tests.yml
306339:: :
You can’t perform that action at this time.
0 commit comments