Skip to content

chore(deps): update kubewarden/github-actions action to v4.6.1#53

Merged
flavio merged 3 commits intomainfrom
renovate/all-minor-patch
Mar 31, 2026
Merged

chore(deps): update kubewarden/github-actions action to v4.6.1#53
flavio merged 3 commits intomainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 23, 2026
edited by Copilot AI
Loading

Updates the kubewarden/github-actions action references from v4.5.16 to v4.6.1, pinned to the full commit SHA a03315e95ccf85c92e5d472824edeab0704f857b.

Changes Made

  • test.yml: Updated reusable workflow reference from v4.5.16 SHA pin to v4.6.1 SHA pin
  • release.yml: Updated both reusable workflow references (reusable-test-policy-rego.yml and reusable-release-policy-rego.yml) from v4.5.16 SHA pin to v4.6.1 SHA pin

All action references use full-length commit SHAs as required by the repository policy.

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

@renovate renovate Bot changed the title chore(deps): update kubewarden/github-actions action to v4.6.0 chore(deps): update kubewarden/github-actions action to v4.6.1 Mar 24, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from eb36d0f to df6f224 Compare March 24, 2026 10:54
@jvanz
Copy link
Copy Markdown
Member

jvanz commented Mar 25, 2026

@copilot can you take a look in the CI errors and fix the github action? You should replace the version by the version sha pin.

jvanz
jvanz requested changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jvanz jvanz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noticed the CI issue. Needs to be fixed.

@jvanz
fix: inline workflow steps with SHA-pinned actions to fix CI
8b6026f 
The reusable workflows in kubewarden/github-actions@v4.6.1 internally
use tag references (e.g. @v4.6.1) for composite actions like
opa-installer, kwctl-installer, etc. This violates opa-policy-template's
requirement that all actions must be pinned to full-length commit SHAs.

Replace reusable workflow calls with inlined steps that use SHA pins:
- test.yml: inline test steps with SHA-pinned checkout and opa-installer
- release.yml: expand policy-gh-action-dependencies into individual
  SHA-pinned steps, use leaf composite actions directly with SHA pin,
  and expand push-artifacthub with SHA-pinned kwctl-installer

Co-authored-by: jvanz <1514798+jvanz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/kubewarden/opa-policy-template/sessions/32d4bf9c-175c-4361-be55-221f661593f5
Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026

@copilot can you take a look in the CI errors and fix the github action? You should replace the version by the version sha pin.

The CI failure was caused by the reusable workflows in kubewarden/github-actions@v4.6.1 internally using tag references (e.g., @v4.6.1) for composite actions like opa-installer, kwctl-installer, etc. — which violates this repo's requirement that all actions must be pinned to full commit SHAs.

Fixed in commit 8b6026f by inlining the workflow steps directly with SHA pins (a03315e95ccf85c92e5d472824edeab0704f857b = v4.6.1) instead of using the reusable workflows:

  • test.yml: inline test steps with SHA-pinned actions/checkout and opa-installer
  • release.yml: expand policy-gh-action-dependencies into individual SHA-pinned steps, use safe composite actions (check-policy-version, opa-installer, policy-release) directly with SHA pins, and expand push-artifacthub with a SHA-pinned kwctl-installer

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Mar 25, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Copilot AI requested a review from jvanz March 25, 2026 13:44
@jvanz
Copy link
Copy Markdown
Member

jvanz commented Mar 25, 2026

@copilot please, do not inline the steps. Just replace the version by the version SHA pins

@jvanz
revert: do not inline steps, use SHA-pinned reusable workflows
a16037e 
Revert the step-inlining approach. Keep the reusable workflow calls
with SHA pins as requested.

Co-authored-by: jvanz <1514798+jvanz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/kubewarden/opa-policy-template/sessions/4da5f115-3a83-4ca4-9385-11e8da6bcc83
Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026

@copilot please, do not inline the steps. Just replace the version by the version SHA pins

Reverted in commit a16037e. The workflow files now use the SHA-pinned reusable workflow calls without inlining any steps:

  • reusable-test-policy-rego.yml@a03315e95ccf85c92e5d472824edeab0704f857b # v4.6.1
  • reusable-release-policy-rego.yml@a03315e95ccf85c92e5d472824edeab0704f857b # v4.6.1

@flavio flavio merged commit bfbd2cc into main Mar 31, 2026
3 checks passed
@flavio flavio deleted the renovate/all-minor-patch branch March 31, 2026 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flavio flavio flavio approved these changes

@jvanz jvanz Awaiting requested review from jvanz

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jvanz @flavio