|
| 1 | +--- |
| 2 | +name: review-renovate |
| 3 | +description: Review Renovate bot PRs that update GitHub Actions dependencies. Verifies supply chain integrity by checking pinned commit SHAs against upstream tagged releases, reviews changelogs for breaking changes, and confirms compatibility with existing workflow configurations. Use when a Renovate PR updates GitHub Actions in .github/workflows/. |
| 4 | +--- |
| 5 | + |
| 6 | +# Review Renovate GitHub Actions PRs |
| 7 | + |
| 8 | +You are reviewing a Renovate bot PR that updates GitHub Actions dependencies. Your job is to verify supply chain integrity and ensure the upgrades won't break CI/CD workflows. |
| 9 | + |
| 10 | +## Inputs |
| 11 | + |
| 12 | +You will be given a PR number or URL. Use `gh` CLI to fetch PR details and diff. |
| 13 | + |
| 14 | +## Steps |
| 15 | + |
| 16 | +### 1. Fetch PR metadata and diff |
| 17 | + |
| 18 | +``` |
| 19 | +gh pr view <PR> --json title,body,files,commits,author,headRefName |
| 20 | +gh pr diff <PR> |
| 21 | +``` |
| 22 | + |
| 23 | +Confirm the PR author is `app/renovate`. If not, flag this immediately — it may not be an automated dependency update. |
| 24 | + |
| 25 | +### 2. Identify all action version changes |
| 26 | + |
| 27 | +From the diff, extract each changed action: |
| 28 | +- Full action name (e.g., `oven-sh/setup-bun`) |
| 29 | +- Old version tag and pinned SHA |
| 30 | +- New version tag and pinned SHA |
| 31 | +- Update type (patch, minor, major) |
| 32 | + |
| 33 | +### 3. Verify pinned SHAs against upstream tags |
| 34 | + |
| 35 | +For every action being updated, verify **both old and new** SHAs match the claimed version tags: |
| 36 | + |
| 37 | +``` |
| 38 | +gh api repos/{owner}/{repo}/git/ref/tags/{version} --jq '.object.sha' |
| 39 | +``` |
| 40 | + |
| 41 | +Compare each result against the SHA in the workflow file. If any SHA does not match, **stop and report a supply chain integrity failure**. Do not approve the PR. |
| 42 | + |
| 43 | +### 4. Review changelogs for breaking changes |
| 44 | + |
| 45 | +From the PR body (Renovate includes release notes), check each updated action for: |
| 46 | +- Removed inputs or outputs that the workflows currently use |
| 47 | +- Changed default behavior for inputs the workflows rely on |
| 48 | +- New required inputs |
| 49 | +- Major version bumps (these almost always have breaking changes) |
| 50 | + |
| 51 | +### 5. Check workflow compatibility |
| 52 | + |
| 53 | +Read the affected workflow files and verify: |
| 54 | +- No removed or renamed inputs are being used |
| 55 | +- No changed defaults affect current behavior |
| 56 | +- The action's runtime requirements are still met (e.g., Node.js version compatibility) |
| 57 | + |
| 58 | +### 6. Report findings |
| 59 | + |
| 60 | +Present a summary table: |
| 61 | + |
| 62 | +| Action | Old | New | Type | SHA verified | |
| 63 | +|--------|-----|-----|------|-------------| |
| 64 | +| ... | ... | ... | patch/minor/major | yes/NO | |
| 65 | + |
| 66 | +Then state: |
| 67 | +- Whether all SHAs are verified |
| 68 | +- Whether any breaking changes were found |
| 69 | +- Whether the workflows remain compatible |
| 70 | +- A clear **safe to merge** or **do not merge** recommendation |
0 commit comments