feat(ci): self-audit with nerdalytics/check-action-versions@v1.0.3#9
Merged
Conversation
Adds a scheduled workflow that runs this same action on this repo. From now on, action-version bumps in .github/workflows/ci.yml (and in the new self-audit workflow itself) are opened by the action as auto-update PRs rather than handled by Dependabot. Deletes .github/dependabot.yml for the same reason: its github-actions ecosystem watcher is now redundant with the self-audit workflow, and running both would produce duplicate PRs on different branches. Requires the repo to have these secrets configured before the first scheduled run: - ACTION_UPDATER_PAT: PAT with repo + workflow scope (for checkout with push access, and for gh issue/pr create) - SSH_SIGNING_KEY: SSH private key for the nerdalytics bot signing identity - SSH_SIGNING_KEY_PASSPHRASE: passphrase on the signing key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a scheduled workflow that runs this action on this repo. Every Monday 09:00 UTC, the action scans
.github/workflows/*.yml(including itself), resolves eachuses:reference against its upstream's latest strict-semver release, and opens an auto-update PR when anything is outdated.Why
The action's whole purpose is maintaining SHA-pinned action references in other repos. Dogfooding it here closes the loop and lets the action's normal auto-update path keep this repo current.
Change set
.github/workflows/check-action-versions.ymlpinningnerdalytics/check-action-versions@11a5116015b39e4ef354d6eaa5c8757a338100de # v1.0.3(self-reference).github/dependabot.yml— itsgithub-actionsecosystem watcher is now redundant. Running both Dependabot and this action would produce duplicate PRs on different branches for the same updates.No changes to
ci.yml, scripts, or tests.Requires
Three secrets configured at the repo or organization level before the first scheduled run:
ACTION_UPDATER_PAT— PAT withrepoandworkflowscope. Used both to authenticate the initialactions/checkout(so the automated PR gets push access) and to open the tracking issue and PR. A PAT is required instead ofGITHUB_TOKENbecause PRs opened byGITHUB_TOKENdon't trigger downstream workflows.SSH_SIGNING_KEY— SSH private key for the nerdalytics bot signing identity. Full content of an ed25519 private key. The public half must be registered on the bot's GitHub account as a Signing Key (not Authentication Key) for GitHub's Verified badge to resolve.SSH_SIGNING_KEY_PASSPHRASE— passphrase on the signing key, or unset if unencrypted.If any are missing when the first run fires, the action fails fast with a clear error message pointing at the missing secret.
On merge
No immediate run. The first scheduled firing is Monday 09:00 UTC. For an immediate check, trigger manually via
workflow_dispatchonce the secrets are set.