Skip to content

Commit 7003690

Browse files
authored
docs(installation): Renovate/Dependabot config to auto-bump the Action SHA (#707)
1 parent 7a355e0 commit 7003690

1 file changed

Lines changed: 33 additions & 0 deletions

File tree

docs/installation.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -301,6 +301,39 @@ jobs:
301301
asset (sha256) and fails the install on any mismatch. Set it to `false` only when
302302
pinning a release published before checksum assets existed.
303303

304+
### Keep the SHA pin fresh automatically
305+
306+
A commit-SHA pin is the most secure, but bumping it by hand is tedious. Let a bot do it
307+
and keep the `# {{ pkg.version }}` comment as the human-readable tracker.
308+
309+
::: code-group
310+
```json [Renovate - renovate.json]
311+
{
312+
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
313+
"extends": ["config:recommended"],
314+
"packageRules": [
315+
{
316+
"matchManagers": ["github-actions"],
317+
"matchPackageNames": ["TypedDevs/bashunit"],
318+
"pinDigests": true
319+
}
320+
]
321+
}
322+
```
323+
324+
```yaml [Dependabot - .github/dependabot.yml]
325+
version: 2
326+
updates:
327+
- package-ecosystem: github-actions
328+
directory: /
329+
schedule:
330+
interval: weekly
331+
```
332+
:::
333+
334+
Renovate updates the pinned SHA and refreshes the trailing `# tag` comment in the same PR.
335+
Dependabot bumps `github-actions` pins on the schedule you set.
336+
304337
::: tip
305338
See bashunit's own pipeline for a real example: https://github.com/TypedDevs/bashunit/blob/main/.github/workflows/tests.yml
306339
:::

0 commit comments

Comments
 (0)