Skip to content

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#2725

Closed
mahangu wants to merge 1 commit into
trunkfrom
chore/pin-and-enable-dependabot
Closed

chore: pin third-party GitHub Actions to SHAs + enable Dependabot#2725
mahangu wants to merge 1 commit into
trunkfrom
chore/pin-and-enable-dependabot

Conversation

@mahangu
Copy link
Copy Markdown

@mahangu mahangu commented May 31, 2026

Two-in-one hardening:

  1. Pin third-party GitHub Actions in this repo to commit SHAs (tag preserved as trailing comment).
  2. Add Dependabot github-actions config (weekly, grouped into actions-minor-patch and actions-major, with cooldown).

Tracking: DEVPROD-1072.

@lastnode
chore: pin third-party GitHub Actions to SHAs + enable Dependabot
5b7e9d1 
Hardens against supply-chain risk on mutable tags. Dependabot keeps
the pinned SHAs fresh weekly, with major bumps held under cooldown.

Tracking: DEVPROD-1072
@mahangu mahangu requested a review from a team as a code owner May 31, 2026 10:24
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

👋 Thanks for your interest in contributing to Newspack!

Newspack development has moved to a single monorepo: Automattic/newspack-workspace. This repository is now a read-only mirror, so we're automatically closing new pull requests here.

Please reopen your change against the monorepo – newspack-theme now lives at themes/newspack-theme/ there. Thank you! 💙

@github-actions github-actions Bot closed this May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mahangu @lastnode