From 900524c03546eb8d00e86abede66a617e7f16f55 Mon Sep 17 00:00:00 2001 From: Kevin Murphy Date: Fri, 18 Jul 2025 08:06:14 -0700 Subject: [PATCH 1/6] renovate: Update GitHub Actions via semver tags *with* SHAs There are two primary ways to have Renovate keep thirdparty GitHub Actions up-to-date: 1. pin to a semantic version (`uses: foo/bar@v1.2.3`), or 2. pin to a commit hash (`uses: foo/bar@abcdef012345`) Approach (1) is much more understandable at-a-glance and more compatible with Renovate's "show the changelog" feature. Also, it avoids depending directly on the bleeding edge of the `master` branch of these actions. On the other hand, (2) is much better for security and reproducibility, since repo authors are free to overwrite tags whenever they wish. I noticed that https://github.com/astral-sh/uv was using a hybrid approach where they were using a syntax like 3. pin to both (`uses: foo/bar@abcdef012345 # v1.2.3`) which seems to be the best of both worlds. So this patch is just copypasta from https://github.com/astral-sh/uv/blob/574aa1ef110ef08293512eb200bd6881bb738179/.github/renovate.json5#L25-L35 --- .github/renovate.json5 | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 10815770b..f8e999ccd 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,5 +5,18 @@ "schedule:weekly" ], "timezone": "America/Los_Angeles", - "includePaths": [".github/**"] + "includePaths": [".github/**"], + "packageRules": { + // Pin GitHub Actions to immutable SHAs. + { + matchDepTypes: ["action"], + pinDigests: true, + }, + // Annotate GitHub Actions SHAs with a SemVer version. + { + extends: ["helpers:pinGitHubActionDigests"], + extractVersion: "^(?v?\\d+\\.\\d+\\.\\d+)$", + versioning: "regex:^v?(?\\d+)(\\.(?\\d+)\\.(?\\d+))?$", + }, + }, } From ef7c767d1eee153a9c571a20acf371fd72b1c6c8 Mon Sep 17 00:00:00 2001 From: Kevin Murphy Date: Fri, 18 Jul 2025 08:10:59 -0700 Subject: [PATCH 2/6] wip --- .github/workflows/build_wheel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml index 53da9aa13..959457ae3 100644 --- a/.github/workflows/build_wheel.yml +++ b/.github/workflows/build_wheel.yml @@ -9,7 +9,7 @@ jobs: - 3.12.6 runs-on: [self-hosted, fasttext] steps: - - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Install Python run: | uv python install ${{ matrix.python-version }} From f800d114e1a26d2d125297e1317838c94ba99aca Mon Sep 17 00:00:00 2001 From: Kevin Murphy Date: Fri, 18 Jul 2025 08:20:11 -0700 Subject: [PATCH 3/6] Revert "renovate: Update GitHub Actions via semver tags *with* SHAs" This reverts commit 900524c03546eb8d00e86abede66a617e7f16f55. --- .github/renovate.json5 | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index f8e999ccd..10815770b 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,18 +5,5 @@ "schedule:weekly" ], "timezone": "America/Los_Angeles", - "includePaths": [".github/**"], - "packageRules": { - // Pin GitHub Actions to immutable SHAs. - { - matchDepTypes: ["action"], - pinDigests: true, - }, - // Annotate GitHub Actions SHAs with a SemVer version. - { - extends: ["helpers:pinGitHubActionDigests"], - extractVersion: "^(?v?\\d+\\.\\d+\\.\\d+)$", - versioning: "regex:^v?(?\\d+)(\\.(?\\d+)\\.(?\\d+))?$", - }, - }, + "includePaths": [".github/**"] } From 9339debb46fc0ba259b15d2b748f649625ddfced Mon Sep 17 00:00:00 2001 From: Kevin Murphy Date: Fri, 18 Jul 2025 08:21:39 -0700 Subject: [PATCH 4/6] Reapply "renovate: Update GitHub Actions via semver tags *with* SHAs" This reverts commit f800d114e1a26d2d125297e1317838c94ba99aca. --- .github/renovate.json5 | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 10815770b..f8e999ccd 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,5 +5,18 @@ "schedule:weekly" ], "timezone": "America/Los_Angeles", - "includePaths": [".github/**"] + "includePaths": [".github/**"], + "packageRules": { + // Pin GitHub Actions to immutable SHAs. + { + matchDepTypes: ["action"], + pinDigests: true, + }, + // Annotate GitHub Actions SHAs with a SemVer version. + { + extends: ["helpers:pinGitHubActionDigests"], + extractVersion: "^(?v?\\d+\\.\\d+\\.\\d+)$", + versioning: "regex:^v?(?\\d+)(\\.(?\\d+)\\.(?\\d+))?$", + }, + }, } From 127e8ebf2d4d3688f1b92f73ea91612d60d7a811 Mon Sep 17 00:00:00 2001 From: Kevin Murphy Date: Fri, 18 Jul 2025 08:23:09 -0700 Subject: [PATCH 5/6] f --- .github/renovate.json5 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index f8e999ccd..ffebcb2b0 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -6,7 +6,7 @@ ], "timezone": "America/Los_Angeles", "includePaths": [".github/**"], - "packageRules": { + "packageRules": [ // Pin GitHub Actions to immutable SHAs. { matchDepTypes: ["action"], @@ -18,5 +18,5 @@ extractVersion: "^(?v?\\d+\\.\\d+\\.\\d+)$", versioning: "regex:^v?(?\\d+)(\\.(?\\d+)\\.(?\\d+))?$", }, - }, + ], } From a0d2e713adbdf9c978aa6b666f518e5357499469 Mon Sep 17 00:00:00 2001 From: "self-hosted-renovate-everlaw[bot]" <139815541+self-hosted-renovate-everlaw[bot]@users.noreply.github.com> Date: Fri, 18 Jul 2025 15:29:16 +0000 Subject: [PATCH 6/6] chore(deps): update actions/checkout action to v4.2.2 --- .github/workflows/build_wheel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_wheel.yml b/.github/workflows/build_wheel.yml index 959457ae3..9b5c47c18 100644 --- a/.github/workflows/build_wheel.yml +++ b/.github/workflows/build_wheel.yml @@ -9,7 +9,7 @@ jobs: - 3.12.6 runs-on: [self-hosted, fasttext] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Python run: | uv python install ${{ matrix.python-version }}