Align dependabot, merge-bot, release flow, and SHA-pin all actions#692
Merged
Conversation
- dependabot.yml: also target develop so both auto-publishing branches stay on the same baseline. - merge-bot-pull-request.yml: branch-aware merge method (squash for develop, merge for main) and App-token auth so post-merge pushes trigger publish-release and publish-periodic-docker-release on develop instead of being skipped by GitHub's recursion guard. - build-release-task.yml: set target_commitish=github.sha so release tags land on the triggering commit, not the repo default branch; fail_on_unmatched_files; pin softprops/action-gh-release to v3.0.0. - AGENTS.md: document the feature->develop->main flow, develop->main promotion via merge commit, dual-publish release flow, dependabot rationale, and merge-bot design. - copilot-instructions.md: terse summary section pointing at AGENTS.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace floating major-version refs (@v5/@v6/@v7/@v8/@v3/@v4/@v1) and the @master ref on dotnet/nbgv with full commit SHAs plus version comments, matching the pattern already used for create-github-app-token, fetch-metadata, and softprops/action-gh-release. Pins make supply-chain attacks via tag mutation impossible and let dependabot bump them mechanically. Also drops the verbose target_commitish rationale comment from build-release-task.yml; the field is self-explanatory in this repo's context. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous commit pinned every third-party action to a commit SHA but didn't capture the rule itself. Add a "GitHub Actions pinning" section to AGENTS.md explaining what to pin, why floating tags are unsafe, and how to resolve a SHA when adding a new action. Add a one-line summary to copilot-instructions.md so AI agents don't reintroduce floating refs in suggestions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates PlexCleaner’s automation to match a dual-branch (develop/main) “pull project” release model, with bot-driven dependency maintenance and hardened GitHub Actions usage (SHA-pinning).
Changes:
- Extend Dependabot to target both
mainanddevelop, and update merge-bot behavior to be branch-aware (squash to develop, merge-commit to main) using an App token. - Fix release tagging behavior by setting
target_commitish: ${{ github.sha }}and tighten release asset upload behavior withfail_on_unmatched_files. - Pin third-party GitHub Actions to immutable commit SHAs across workflows and document the branch/release/bot policies.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| AGENTS.md | Documents branch flow, release flow, dependabot rationale, merge-bot design, and SHA-pinning policy. |
| .github/copilot-instructions.md | Adds concise guidance for agents on branching/release strategy and action pinning. |
| .github/dependabot.yml | Adds parallel Dependabot update configs for develop in addition to main. |
| .github/workflows/merge-bot-pull-request.yml | Uses App token and selects merge method based on base branch rules. |
| .github/workflows/build-release-task.yml | Pins actions; ensures release tags target the triggering commit and fails on missing assets. |
| .github/workflows/get-version-task.yml | Pins actions and replaces floating dotnet/nbgv@master with a versioned SHA pin. |
| .github/workflows/build-executable-task.yml | Pins setup-dotnet/checkout/artifact actions. |
| .github/workflows/build-docker-task.yml | Pins docker setup/login/build actions. |
| .github/workflows/publish-periodic-docker-release.yml | Pins actions for docker-run, artifacts, checkout, download-artifact, and dockerhub description. |
| .github/workflows/build-datebadge-task.yml | Pins BYOB action to a commit SHA. |
| .github/workflows/test-release-task.yml | Pins setup-dotnet and checkout actions. |
Every other workflow file in the repo uses the over-indented YAML style where list items under `steps:` are at parent_indent+2 (e.g., `steps:` at column 4, `- name:` at column 6). This file alone used the compact style with both at the same column. Both are valid YAML and GitHub Actions accepts either, but consistency matters more than syntactic flexibility. Bring this file in line with the other six. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two clarifications surfaced by Copilot review on PR #692: 1. The merge-bot uses an App token minted from CODEGEN_APP_* secrets. For Dependabot-authored pull_request events, GitHub only exposes secrets from the Dependabot namespace (Settings → Secrets → Dependabot), not the regular Actions namespace. The secrets must exist in both, or the App-token step gets empty inputs at runtime. This is non-obvious and worth calling out explicitly so future maintainers don't strip the Dependabot duplicate as redundant. 2. The SHA-pinning comment convention is "match the upstream release tag" — usually # vX.Y.Z, but # v3 (or # master) when upstream only publishes major-only / branch tags. Don't fabricate a semver suffix; use what gh api repos/<owner>/<repo>/releases/latest returns as tag_name. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings PlexCleaner in line with the dual-publish "pull project" pattern adopted by
ptr727/ProjectTemplateandptr727/homeassistant-purpleair.developso both auto-publishing branches stay in sync.target_commitish=github.shaso release tags land on the triggering commit (not main's tip when triggered from develop) +fail_on_unmatched_files.# vX.Y.Zcomment;dotnet/nbgv@masterreplaced with@v0.5.1.Branch rulesets and repo merge settings have already been updated via
gh apito match (rebase disabled, auto-merge enabled, develop = squash-only + linear history, main = merge-only, both withCheck pull request workflow statusas the required check).Test plan
publish-release.ymland produces a develop prereleasetarget_commitishfix)🤖 Generated with Claude Code