Skip to content

chore: pin all workflow actions to full commit SHAs#715

Merged
aaronlippold merged 2 commits intomasterfrom
feat/split-ci-release-workflows
Apr 8, 2026
Merged

chore: pin all workflow actions to full commit SHAs#715
aaronlippold merged 2 commits intomasterfrom
feat/split-ci-release-workflows

Conversation

@wdower
Copy link
Copy Markdown
Contributor

@wdower wdower commented Apr 8, 2026
edited by Copilot AI
Loading

The initial CI/release split only pinned actions in ci.yml and release.yml, leaving docs.yml and dependabot.yml still referencing mutable version tags — inconsistent with the supply chain safety goal.

Changes

  • docs.yml — pin actions/checkout, actions/setup-node, actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages to full commit SHAs
  • dependabot.yml — pin hmarr/auto-approve-action to full commit SHA

All pinned references retain the human-readable version tag as an inline comment (e.g., # v4).

@wdower
feat: split CI and release into separate workflows
d06a4b6 
Closes #710

- Move docker-release job to dedicated release.yml, triggered only
  on release published events without re-running the test suite
- Remove release trigger from ci.yml (push/PR only)
- Pin all GitHub Actions to full commit SHAs for supply chain safety
- Fix SBOM tag mismatch (v2.3.4 vs 2.3.4) by using metadata output

Signed-off-by: Will <[email protected]>
@wdower wdower requested review from aaronlippold and Copilot April 8, 2026 15:31
@aaronlippold aaronlippold temporarily deployed to vulcan-feat-split-ci-re-igmvdv April 8, 2026 15:33 Inactive
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Splits release publishing from the main CI workflow by moving Docker image publishing into a dedicated workflow triggered on GitHub Release publish events.

Changes:

  • Added a new release.yml workflow that builds/pushes the multi-arch Docker image on release: published and submits an SBOM/dependency snapshot.
  • Updated ci.yml to remove the release trigger and delete the in-workflow docker-release job (CI now runs on push/PR only).
  • Pinned the actions used by CI and the new release workflow to full commit SHAs, and updated SBOM tagging to use Docker metadata output.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/release.yml New release-only workflow to build/push Docker images and submit SBOM/dependency snapshot.
.github/workflows/ci.yml CI now runs only on push/PR; removes release job/trigger and pins actions to SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

aaronlippold
aaronlippold previously approved these changes Apr 8, 2026
View reviewed changes
@aaronlippold aaronlippold enabled auto-merge (squash) April 8, 2026 15:41
@wdower
chore: pin remaining workflow actions to SHAs and fix release spec
82e51e9 
- Pin docs.yml and dependabot.yml actions to full commit SHAs
- Update release_infrastructure_spec to check release.yml instead
  of ci.yml for the docker-release trigger

Signed-off-by: Will <[email protected]>
@wdower wdower temporarily deployed to vulcan-feat-split-ci-re-igmvdv April 8, 2026 17:15 Inactive
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aaronlippold aaronlippold self-requested a review April 8, 2026 20:48
Copilot AI changed the title feat: split CI and release into separate workflows chore: pin all workflow actions to full commit SHAs Apr 8, 2026
Copilot AI requested a review from aaronlippold April 8, 2026 20:51
@aaronlippold aaronlippold merged commit ef64241 into master Apr 8, 2026
18 checks passed
@aaronlippold aaronlippold deleted the feat/split-ci-release-workflows branch April 8, 2026 20:51
wdower added a commit that referenced this pull request Apr 12, 2026
@wdower
chore: bump version to v2.3.5
28c6c52 
Release metadata for v2.3.5 covering PRs #715 (CI/release workflow
split) and #716 (server-side user search, information disclosure fix,
editor refresh shape drift fix).

- VERSION: v2.3.4 → v2.3.5
- package.json: 2.3.4 → 2.3.5
- CHANGELOG.md: new v2.3.5 section
- docs/release-notes/index.md: promote v2.3.4, add v2.3.5
- docs/release-notes/v2.3.5.md: new release notes

Signed-off-by: Will Dower <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aaronlippold aaronlippold Awaiting requested review from aaronlippold

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wdower @aaronlippold