feat(ci): Pin action versions to commit SHAs#5876
Merged
awanlin merged 7 commits intoNov 21, 2025
Merged
Conversation
Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Contributor
Author
|
@benjdlambert plz review |
awanlin
requested changes
Oct 24, 2025
Contributor
awanlin
left a comment
awanlin
left a comment
There was a problem hiding this comment.
Thanks for these changes @Ayushmore1214, spotted some typos and a pair of missed items.
I think we also should make changes to this file so that we automatically stay up to date with changes:
community-plugins/.github/renovate.json
Lines 1 to 10 in e6bd3fc
We should be able to just add "helpers:pinGitHubActionDigests" to the extends array to enable that.
Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Contributor
Author
|
@awanlin thank you for your review , I have made the changes respectively |
Contributor
Author
Thank you for this , just wondering do you think this should also be added to the Renovate config in the main backstage/backstage repository for same security benefitts? |
awanlin
requested changes
Oct 29, 2025
Contributor
awanlin
left a comment
awanlin
left a comment
There was a problem hiding this comment.
Thanks for the follow up @Ayushmore1214, left one new comment to address.
Signed-off-by: Ayush More <ayushmore42595@gmail.com>
Contributor
Author
|
Done |
awanlin
requested changes
Nov 7, 2025
Signed-off-by: Ayush More <ayushmore42595@gmail.com>
awanlin
approved these changes
Nov 21, 2025
Contributor
awanlin
left a comment
awanlin
left a comment
There was a problem hiding this comment.
Awesome, let's get this merged @Ayushmore1214 🚀
awanlin
added a commit
that referenced
this pull request
Nov 21, 2025
This reverts commit 0ec0afa. Signed-off-by: Andre Wanlin <awanlin@spotify.com>
awanlin
added a commit
that referenced
this pull request
Nov 21, 2025
Contributor
|
We ended up having to revert this change as the SHA's were not correct: #6117. Given this I'd prefer to let Renovate eventually generate the PR for these changes. |
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
* feat(ci): Pin action versions to commit SHAs Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/deprecate-archived-plugins.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * fixed the typos Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Remove helper for pinning GitHub Action digests Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Fix formatting in renovate.json Signed-off-by: Ayush More <ayushmore42595@gmail.com> --------- Signed-off-by: Ayush More <ayushmore42595@gmail.com> Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
backstage#6117) This reverts commit 0ec0afa. Signed-off-by: Andre Wanlin <awanlin@spotify.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
* feat(ci): Pin action versions to commit SHAs Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/deprecate-archived-plugins.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * fixed the typos Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Remove helper for pinning GitHub Action digests Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Fix formatting in renovate.json Signed-off-by: Ayush More <ayushmore42595@gmail.com> --------- Signed-off-by: Ayush More <ayushmore42595@gmail.com> Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
backstage#6117) This reverts commit 0ec0afa. Signed-off-by: Andre Wanlin <awanlin@spotify.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
* feat(ci): Pin action versions to commit SHAs Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/deprecate-archived-plugins.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * fixed the typos Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Remove helper for pinning GitHub Action digests Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Fix formatting in renovate.json Signed-off-by: Ayush More <ayushmore42595@gmail.com> --------- Signed-off-by: Ayush More <ayushmore42595@gmail.com> Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
mjramer
pushed a commit
to mjramer/community-plugins
that referenced
this pull request
Nov 21, 2025
backstage#6117) This reverts commit 0ec0afa. Signed-off-by: Andre Wanlin <awanlin@spotify.com> Signed-off-by: Max Ramer <maxjramer@gmail.com>
Contributor
Author
|
Ohhh , Thanks for getting it merged ! |
2 tasks
gavinelder
pushed a commit
to gavinelder/community-plugins
that referenced
this pull request
Jan 31, 2026
* feat(ci): Pin action versions to commit SHAs Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/auto-version-bump-scheduler.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Update .github/workflows/deprecate-archived-plugins.yml Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com> Signed-off-by: Ayush More <ayushmore42595@gmail.com> * fixed the typos Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Remove helper for pinning GitHub Action digests Signed-off-by: Ayush More <ayushmore42595@gmail.com> * Fix formatting in renovate.json Signed-off-by: Ayush More <ayushmore42595@gmail.com> --------- Signed-off-by: Ayush More <ayushmore42595@gmail.com> Co-authored-by: Andre Wanlin <67169551+awanlin@users.noreply.github.com>
gavinelder
pushed a commit
to gavinelder/community-plugins
that referenced
this pull request
Jan 31, 2026
backstage#6117) This reverts commit 0ec0afa. Signed-off-by: Andre Wanlin <awanlin@spotify.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
Making our CI/CD a little more secure this pins all actions to specific commit sha, preventing unexpected breaks or supply-chain risk
✔️ Checklist
Signed-off-byline in the message. (more info)