Apply suggestions from code review

llucax · Copilot · llucax · commit 2f18ecdd98d3 · 2026-05-04T14:45:29.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
Signed-off-by: Leandro Lucarella &lt;luca-frequenz@llucax.com&gt;
diff --git a/cookiecutter/migrate.py b/cookiecutter/migrate.py
@@ -356,7 +356,8 @@ def migrate_gh_actions_hashes() -> None:
 # GITHUB_TOKEN is read-only and secrets are unavailable with a plain
 # pull_request trigger.  The action mitigates the risk by:
 #   - Never executing code from the PR (the migration script is fetched
-#     from the repo-config branch configured below, not taken from the PR).
+#     remotely via script-url-template configured in this workflow on the
+#     base branch, not taken from the PR branch contents).
 #   - Gating migration steps on github.actor == 'dependabot[bot]' AND the
 #     PR title.
 #   - Running checkout with persist-credentials: false and isolating
diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/.github/dependabot.yml b/cookiecutter/{{cookiecutter.github_repo_name}}/.github/dependabot.yml
@@ -43,7 +43,7 @@ updates:
           - "async-solipsism"
 {%- if cookiecutter.type == "api" %}
           - "frequenz-api-common"
-          # These need a migration script to fix dependabot missing updating
+          # These need a migration script because Dependabot does not update
           # the runtime dependencies
           - "grpcio"
           - "grpcio-tools"
diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/grpc-migration.yaml b/cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/grpc-migration.yaml
@@ -24,8 +24,8 @@
 # This is required because Dependabot PRs are treated as fork PRs: the
 # GITHUB_TOKEN is read-only and secrets are unavailable with a plain
 # pull_request trigger.  The action mitigates the risk by:
-#   - Never executing code from the PR (the migration script is fetched
-#     from the repo-config branch configured below, not taken from the PR).
+#   - Never executing code from the PR. The migration script is fetched
+#     remotely via `script-url-template` from a trusted pinned location.
 #   - Gating migration steps on github.actor == 'dependabot[bot]' AND the
 #     PR title.
 #   - Running checkout with persist-credentials: false and isolating
diff --git a/docs/user-guide/advanced-usage.md b/docs/user-guide/advanced-usage.md
@@ -211,9 +211,8 @@ PR branch.
 The workflow uses the
 [`dependabot-grpc-fixer.py`][dependabot-grpc-fixer] script shipped by
 this repository.  Shipping it as a separate script makes it easy to keep
-all API projects updated to the latest version without regenerating the
-workflow file: [Dependabot] tracks the action and the workflow stays
-short.
+all API projects updated without regenerating the workflow file, and the
+workflow itself stays short.
 
 The companion `auto-dependabot.yaml` workflow skips the
 `grpc-compatible`, `grpcio-major` and `protobuf-major` Dependabot groups
@@ -222,6 +221,8 @@ so those PRs are handled exclusively by this migration workflow.
 The migration script lives at
 `cookiecutter/scripts/dependabot-grpc-fixer.py` in this repository, and
 the workflow fetches it from the URL configured in `script-url-template`.
+The script should be fetched from an immutable release tag or commit
+SHA from a trusted source.
 
 ### Creating the caller workflow
 
