ci(deps): route dependabot through the action-pins manifest#403
Merged
Conversation
Exclude the generated orchestrate.yaml and promote.yaml from the github-actions updater via exclude-paths so a Dependabot bump never lands in a generated workflow and trips the Workflow Drift Check. Hand-written workflows keep being bumped, and the consistency lint forces a coordinated action_pins.yaml update when they diverge. Add .github/workflows/action-pins.yml, a non-executing anchor that references every pinned action so the github-actions updater has one tracked bump entrypoint for each (including actions/create-github-app-token, which appears only in the now-excluded generated workflows). TestActionPinsAnchorCoversManifest keeps the anchor a complete and correct mirror of action_pins.yaml. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Wires dependabot to the action-pins single-source-of-truth so its bumps land in the manifest, not in generated files.
.github/dependabot.yml: addsexclude-pathsto the github-actions ecosystem for the two generated workflows that carry bumpable action refs (orchestrate.yaml,promote.yaml), so dependabot stops opening drift-failing PRs against them (the chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 #272/chore(deps): bump actions/github-script from 7.1.0 to 9.0.0 #268 pain). Three files carry theAUTO-GENERATED by cascadeheader; the third (.github/actions/manage-release/action.yaml) has zerouses:refs so dependabot cannot bump it and no drift is possible there. Hand-written workflows keep being bumped (the consistency lint forces a coordinated manifest update if they diverge).exclude-pathsverified against the dependabot options reference (glob, per-ecosystem, relative to directory)..github/workflows/action-pins.yml: a non-executing anchor (workflow_dispatch-only, default-false gate) listing all 9 governed actions asuses:@sha # version, giving dependabot a parse target to bump the manifest's pins.action_pins_anchor_test.go: sync guard asserting the anchor covers every manifest action (completeness); the existing consistency lint enforces correctness.Verification
go build/test (2022 pass), golangci-lint, actionlint clean. Guardrails clean, GPG-signed + DCO. exclude-paths verified valid against the official docs.
Honest residual
Whether dependabot opens bump PRs against the gated anchor, and whether exclude-paths skips the generated files, are confirmable only on dependabot's next scheduled run. Documented fallback (scheduled manifest refresh, mirroring cli_version_sha) remains. Degrades safely (worst case is the prior noise, which the drift check still catches).
Final step of the action-pins single-source-of-truth goal.