🩹 [Patch]: Pin action versions and fix dependabot settings #129
+6
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This pull request enhances security by pinning GitHub Actions to specific SHA versions and updates the dependabot configuration to use daily checks. However, there is a critical issue with an invalid configuration field in the dependabot.yml file.
Changes:
- Pinned actions/checkout, PSModule/GitHub-Script, and PSModule/Process-PSModule to SHA versions with version comments
- Changed dependabot schedule from weekly to daily
- Added cooldown configuration (invalid field)
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/Update-FontsData.yml | Pinned actions/checkout to v6.0.1 SHA and PSModule/GitHub-Script to v1.7.8 SHA |
| .github/workflows/Process-PSModule.yml | Pinned PSModule/Process-PSModule workflow reference to v5.4.1 SHA |
| .github/dependabot.yml | Changed schedule to daily and added invalid cooldown configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MariusStorhaug
deleted the
patch/pin-action-versions-and-fix-dependabot
branch
MariusStorhaug
temporarily deployed
to
github-pages
GitHub Actions
Inactive
Contributor
|
Module GoogleFonts - 1.0.99 published to the PowerShell Gallery. |
Contributor
|
GitHub release for GoogleFonts v1.0.99 has been created. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All GitHub Actions are now pinned to specific SHA versions for improved security and consistency. The dependabot configuration has been updated to use daily checks with a 7-day cooldown period.
Pin action versions to SHA
The following actions have been pinned to specific SHA versions:
actions/checkout→8e8c483db84b4bee98b60c0593521ed34d9990e8(v6.0.1)PSModule/GitHub-Script→2010983167dc7a41bcd84cb88e698ec18eccb7ca(v1.7.8)PSModule/Process-PSModule→be7d5dcbceec14855d325fdd34f2a7c2f05a7f57(v5.4.1)Fix dependabot configuration
The dependabot.yml has been updated to align with the standard configuration:
schedule.intervalfromweeklytodailycooldown.default-days: 7to delay updates for 7 days after releaseThis ensures Dependabot checks for updates daily but waits 7 days before creating PRs, giving time for any issues with new releases to surface.